Dealing with “The server committed a protocol violation. Section=ResponseStatusLine”
Today I had an O2 Platform user that had a problem where some of its scripts/UnitTest did not work when not routing the requests via the Fiddler web project.
When making the request directly we would receive a The server committed a protocol violation. Section=ResponseStatusLine .NET internal execption (which a Google Search will show it is quite common).
After a bit of debug (and a couple O2 scripts later) I was able to track it down to the UseUnsafeHeaderParsing configuration setting which needs to be set to true (the defaulf is false)
There are two ways to set this UseUnsafeHeaderParsing value:
1) on the {exefile}.appconfig settings file:
<system.net> <settings> <httpWebRequest useUnsafeHeaderParsing = "true"/> </settings> </system.net>
2) programatically
Action<bool> setUseUnsafeHeaderParsing =
(value)=>{
var settingsSection = "System".assembly().type("SettingsSectionInternal");
var section = settingsSection.prop("Section");
section.field("useUnsafeHeaderParsing",value);
var useUnsafeHeaderParsing = section.field("useUnsafeHeaderParsing");
"useUnsafeHeaderParsing = {0}".info(useUnsafeHeaderParsing);
};
setUseUnsafeHeaderParsing(true);
This script is also a good example of O2‘s powerful refection API.
Note for example how this code should look like (when using .NET Reflection APIs directly). Code snippet from http://social.msdn.microsoft.com/forums/en-US/netfxnetcom/thread/ff098248-551c-4da9-8ba5-358a9f8ccc57
public static bool SetAllowUnsafeHeaderParsing20()
{
//Get the assembly that contains the internal class
Assembly aNetAssembly = Assembly.GetAssembly(typeof(System.Net.Configuration.SettingsSection));
if (aNetAssembly != null)
{
//Use the assembly in order to get the internal type for the internal class
Type aSettingsType = aNetAssembly.GetType("System.Net.Configuration.SettingsSectionInternal");
if (aSettingsType != null)
{
//Use the internal static property to get an instance of the internal settings class.
//If the static instance isn't created allready the property will create it for us.
object anInstance = aSettingsType.InvokeMember("Section",
BindingFlags.Static | BindingFlags.GetProperty | BindingFlags.NonPublic, null, null, new object[] { });
if (anInstance != null)
{
//Locate the private bool field that tells the framework is unsafe header parsing should be allowed or not
FieldInfo aUseUnsafeHeaderParsing = aSettingsType.GetField("useUnsafeHeaderParsing", BindingFlags.NonPublic | BindingFlags.Instance);
if (aUseUnsafeHeaderParsing != null)
{
aUseUnsafeHeaderParsing.SetValue(anInstance, true);
return true;
}
}
}
}
return false;
}
In fact, the O2 Script can be reduced further to:
Action<bool> setUseUnsafeHeaderParsing =
(value)=>{
"System".assembly().type("SettingsSectionInternal")
.prop("Section").field("useUnsafeHeaderParsing",value);
};
setUseUnsafeHeaderParsing(false);
6 Comments »
Leave a comment
About
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.
O2 can also be a very powerful prototyping and fast-development tool for .NET. Most O2 APIs are written using a Fluent API design, and its core has been published as a separate project called FluentSharp (hosted at CodePlex)
Download
Windows ClickOnce Installer:
Mailing List
The best place to keep updated with the lastest news and developers it to subscribe to the OWASP O2 Platform Mailing list (you can read its archives here)
OWASP O2 Platform Blog 
[…] a variation of Dealing with “The server committed a protocol violation. Section=ResponseStatusLine” here a number of scripts that show how to use O2′s refection API to gain access to internal […]
The .NET 2 version also works in .NET 4, although it’s more verbose.
Thanks alot for the code! 🙂
So what was actually wrong with the header? Why not fix that problem instead of changing the app config?
in this case h2 would had not been able to run the tests via a web proxy (i.e. fiddler)
This script also shows how to dynamically change app.config settings (which is something I had been wanting to do for a while)
Another possibility: when doing a POST, the server responds with a 100 continue in an incorrect way.
This solved the problem for me:
request.ServicePoint.Expect100Continue = false;
[…] Enable/disable useUnsafeHeaderParsing. // See https://o2platform.wordpress.com/2010/10/20/dealing-with-the-server-committed-a-protocol-violation-se… public static bool ToggleAllowUnsafeHeaderParsing(bool enable) { //Get the assembly that contains […]
Pingback by The server committed a protocol violation. Section=ResponseHeader Detail=CR must be followed by LF « Nurkartiko | January 31, 2013 |