locked
Microsoft security bulletin MS11-100 breaking rendering of .pdfs from our site RRS feed

  • Question

  • User1318199919 posted

    Installing Microsoft security bulletin MS11-100 breaks rendering of .pdfs from our site.

    These .pdfs are rendered from binary blobs from the database, and appropriate headers are applied to the .response object before the .response is returned.

    (straight .pdf links from our site work ok)

    Using Fiddler, I compared the binary response from when I "patched" my machine and "unpatched" (it works ok "unpatched") and the binary response appears identical.

    The only difference I could detect was the "Cache-Control" value is different if with the "patch".

    I've tried to manually set the "Cache-Control", by setting response.CacheControl to a value, but it seems to have no effect.

    Thoughts on how I can get this working again with the MS11-100 security patch?

    Thanks!

     

    Here "no patch" (works ok):

    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: application/pdf
    Server: Microsoft-IIS/7.5
    Set-Cookie: .ASPXAUTH=CE592CBF54A480482641513EBA695B33A61DD2FC4587988F5A37C611B2043008F14326D42AAFBA232CD91A137233B561243E71BBD9C9FEA2C3D73827FC017CE1065BBB8A16CFD899ECA7A5ADEB9570C0814129D57860C9DC51C7FCC91FFAB103C5FAA36E47F296F4B9344CB397EC805A40633ACB2801DC05B9F5D2CF76557D61814B42210A0E69893782396EFDA9986371C4C97366D3332E675363DEDE79C172; path=/
    Content-Dis;filename=GrbReport.pdf
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    Date: Tue, 03 Jan 2012 23:21:08 GMT
    Content-Length: 477003

    %PDF-1.6
    %??????????
    1 0 obj
    <<
    /Producer (Acrobat Distiller 3.0 for Power Macintosh)
    /CreationDate (D:20031215123715Z)
    /ModDate (D:20110328164421-04'00')

    ...

     

    ----------------------

    Here's patched (doesn't work):

    HTTP/1.1 200 OK
    Cache-Control: private, no-cache="Set-Cookie"
    Content-Type: application/pdf
    Server: Microsoft-IIS/7.5
    Set-Cookie: .ASPXAUTH=5CC683A343EC1320267711C79539716234312D65D6C3B260DDE314AB6318689E37336476C856D2AC4275E7CAF8C8950BDE4280F3581B998626F913F8F0AD79F461DF137776BFA20C7639698CE4A361218805821E487341E190D2CC96DDDE7C624D1F522107F6C5EA515044EFC95F4A225F0E72680960BC1A2FC1EFC006CF31F9F00F281B4998EFEF15F78CD5E1DF9EB4DC037DB199C7BE6B64004D099357C117; path=/
    Content-Dis;filename=GrbReport.pdf
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    Date: Tue, 03 Jan 2012 23:10:19 GMT
    Content-Length: 477003

    %PDF-1.6
    %??????????
    1 0 obj
    <<
    /Producer (Acrobat Distiller 3.0 for Power Macintosh)
    /CreationDate (D:20031215123715Z)
    /ModDate (D:20110328164421-04'00')
    ...

     

    --------------------

     

     

    JUST FOUND A LINK REGARDING THE CACHE CONTROL:  IT EXPLAINS THAT THE PDF MIGHT NOT WORK WITH IT THIS WAY....BUT IT DOESN"T EXPLAIN WHY THE MS SECURITY PATCH CAUSE THIS PROBLEM, OR HOW TO SET THE CACHE CONTROL IN ASP.NET.  http://blogs.msdn.com/b/asiatech/archive/2011/12/09/internet-explorer-fails-to-open-pdf-file.aspx  THOUGHTS ON HOW TO FIX THIS WOULD BE APPRECIATED!

     

     

     

    Wednesday, January 4, 2012 5:53 PM

All replies

  • User-95994775 posted

    Greetings!

    Thank you for posting this.

    We just recently applied this and a few other microsoft security patches to our server and are noticing similar issues with the rendering of various MS Office document (word, excel, powerpoint) files, though PDF's have been working intermittently. We are still on asp.net2, iis6, and ie7 here.) 

    Using fiddler, I have seen the same change in cache-control settings that seem to be the root of our issues.

    Most of our files are static, but we do have a couple of places where we render some excel files dynamically over SSL, which this cache setting breaks. In these cases I managed to get around it by including Response.ClearContent() and Response.Clear() before rendering and Response.ClearHeaders() before making my own header settings (for mime typing, file naming, etc.).  Since you are rendering your files, this might help you, if you haven't found a solution for it yet.

    My current problem is how to deal with the static office document files. We are serving them via the standard StaticFileHandler so that we can have them subject to our sites' forms based security. So far I haven't found a way to remove the "no-cache" header setting introduced by this patch. I was hoping for a web.config setting or similar way to provide a default cache setting that can be used for these files.

    Any suggestions out there on how to do this in iis6?

     

    Thursday, January 19, 2012 11:46 AM
  • User1157902983 posted

    We have the same problem on Win2008 and Win2003 servers. I added a HTTP Header, Cache-control: no-store, to a site on each box. The Win2003 IIS6 site started working. There was no change to the Win2008 site.

    I am using IE8.

    Thursday, January 19, 2012 1:12 PM