21

Trying to debug a random error on a rather complex ASP.net page, there is a good deal of ADO.net MS-SQL which is where I started trouble shooting. However as of yet I haven't been able to narrow it down. Funny thing is when I debug the code locally in VS (against the same DB connection) I don't get an error. Yet when the code is run against IIS it throws the following error. Anyone encountered anything similar ?

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace: 

[InvalidOperationException: Operation is not valid due to the current state of the    object.]
System.Web.HttpValueCollection.FillFromEncodedBytes(Byte[] bytes, Encoding encoding)  +11368719
System.Web.HttpRequest.FillInFormCollection() +329

[HttpException (0x80004005): The URL-encoded form data is not valid.]
   System.Web.HttpRequest.FillInFormCollection() +11482818
   System.Web.HttpRequest.get_Form() +157
   System.Web.HttpRequest.get_HasForm() +11483620
   System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) +141
   System.Web.UI.Page.DeterminePostBackMode() +100
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean  includeStagesAfterAsyncPoint) +259

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.272
bumble_bee_tuna
  • 3,533
  • 7
  • 43
  • 83

1 Answers1

51

Could it be in relation to this issue? A suggested workaround is to add the following in your web.config:

<appSettings>
    <add key="aspnet:MaxHttpCollectionKeys" value="2000" />
</appSettings>

Scott Gu also blogged about this vulnerability discovered in ASP.NET.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • I'm not going to know for sure till I go back over there, however I think this is the issue as the page is very complex, and I know the sysadmin just recently updated the server. Was this the patch for the padding oracle exploit ? – bumble_bee_tuna Jan 23 '12 at 21:44
  • 2
    @bumble_bee_tuna, no, this is not the padding oracle. It's a new one. – Darin Dimitrov Jan 23 '12 at 21:45
  • 2
    Wow, bad year for ASP security, lol. Thanks for the insight that had the potential to cause me a bit of headache. I'm going to mark as answer because all signs point to that. Code worked fine for months, server just patched, very large complex page. Thanks again Darin – bumble_bee_tuna Jan 23 '12 at 21:55
  • 4
    ugh, darn the client for wanting that huge grid full of controls – jumpdart Feb 14 '12 at 15:43
  • 3
    voted up - this fixed my issue. Interestingly I couldn't duplicate this error on my localhost, only on our dev server. – Ben Barreth Aug 31 '12 at 20:49
  • I wonder how this could be used in a desktop application? I have to call `System.Web.HttpUtility.ParseQueryString` from a desktop app because this silly API returns the result as a form-encoded string. It may be *rather long*. Putting the `appSettings` node into the app.config file makes it fail very quickly with a message, Configuration system failed to initialize. – GSerg Mar 02 '20 at 15:31