ASP.NET User-Agent limitation expanded from 256 to 512 characters

Today, I am pleased to bring you a guest posting from one of my colleagues, Daisuke Maki, Escalation Engineer for Web Developer technologies in Microsoft Japan. In fact this is the English translation of Daisuke’s original posting in Japanese which is available here.

 

“For security reasons, ASP.NET (1.1 and 2.0) limited the maximum length of User-Agent strings to 256 characters. We have released fixes that ASP.NET recognize User-Agent strings that contain as many as 512 characters.

ASP.NET 1.1

- Knowledge Base Article

FIX: You cannot browse an ASP.NET 1.1 Web site if the User-Agent string that is in the browser contains more than 256 characters
support.microsoft.com/kb/974762/en-us

- Hotfix packages

Version: System.Web.dll >= 1.1.4322.2456

Please contact to Microsoft Support to get the package.

- Symptom

When ASP 1.1 receives a request with a User-Agent string exceeding 256 characters, ASP.NET 1.1 can’t recognize the browser and Request.Browser.Browser is “Unkown”. Then ASP.NET renders the page for a lowest functional browser (e.g. JavaScript for Client-Side validation is not rendered). As a result the content of the Web site may not render correctly.

- Repro Steps

1) Put the following file as “test.aspx”

UA:<% = Request.UserAgent %><BR>
Browser:<% = Request.Browser.Browser %><BR>

<form id="Form1" runat="server">
<asp:TextBox id="TextBox1" runat="server" ForeColor="Lime" BackColor=”Red”></asp:TextBox>
</form>

2) Add the following registry value to client computer.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet Settings5.0User AgentPost Platform
Test REG_SZ (long string. For example 0123456789012345……)

3) Access the page. You can find that Request.Browser.Browser is “Unknown” and the ForeColor and BackColor of TextBox1 are lost.

- Workaround

Add the following browsercaps element to the application’s web.config. This setting means “if UserAgent.Length > 256 then the browser is IE6”

<browserCaps>
<filter>
<case match="^$">
browser=IE
version=6.0
majorversion=6
minorversion=0
win32=true
platform=WinXP
frames=true
tables=true
cookies=true
backgroundsounds=true
vbscript=true
javascript=true
javaapplets=true
activexcontrols=true
tagwriter=System.Web.UI.HtmlTextWriter
ecmascriptversion=1.2
msdomversion=6.0
w3cdomversion=1.0
css1=true
css2=true
xml=true
isMobileDevice="false"</case>
</filter>
</browserCaps>

ASP.NET 2.0

- Knowledge Base Article

FIX: You may not successfully browse an ASP.NET Web site if the User-Agent string contains more than 256 characters
support.microsoft.com/kb/962204/en-us

- Hotfix packages

For Windows 2000, XP, 2003

Version: System.Web.dll >= 2.0.50727.4028

URL: code.msdn.microsoft.com/KB969612

for Windows Vista, 7, 2008

Version: System.Web.dll >= 2.0.50727.4013

URL: code.msdn.microsoft.com/KB967535

- Symptom

When ASP 2.0 receives a request with a User-Agent string exceeding 256 characters, ASP.NET 2.0 truncated the string at 256 characters. After that, some information that is contained in the string may become invalid. As a result, the page may raise an error.

- Repro Steps

1) Put the following file as “test.aspx”

UA:<% = Request.UserAgent %><BR>
ClrVer:<% = Request.Browser.ClrVersion %>

2) Access the page using Request Builder of Fiddler2 ( https://www.fiddler2.com/fiddler2/ ). Please set its Use-Agent as;

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; YTB720; GTB6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.4; OfficeLivePatch.1.3; YJSG3)
NOTE: ASP.NET truncate this string as “Mozilla/4.0 …. .NET CLR 3”. ASP.NET can’t read ClrVersion from “.NET CLR 3”

3) You can see an error with a stack trace similar to the following:

[ArgumentException: Version string portion was too short or too long.]
System.Version..ctor(String version) + 7477288
System.Web.Configuration.HttpCapabilitiesBase.GetClrVersions() +376
System.Web.Configuration.HttpCapabilitiesBase.get_ClrVersion() +7

- Workaround

None.”

 

Thank you Daisuke!

One further note. When we were looking into this issue I did some parsing of IIS logs for a public facing web site I look after. From that I found that only a fairly small proportion of requests show a User-Agent string exceeding 256 and a miniscule proportion (about 1 or 2 in 10000 if I recall correctly) exceeding 512. Most cases of very large User-Agent strings were where this field was being (arguably inappropriately) overloaded for other purposes.

HTH

Doug