dotnet/aspnetcore

HttpRuleParser GetExpressionLength allows invalid characters.

Open

#2,694 opened on Jan 2, 2018

View on GitHub
 (1 comment) (0 reactions) (0 assignees)C# (10,653 forks)batch import
affected-fewarea-networkingbugfeature-http-abstractionshelp wantedseverity-minor

Repository metrics

Stars
 (37,933 stars)
PR merge metrics
 (Avg merge 16d 9h) (258 merged PRs in 30d)

Description

From @jkotalik on Tuesday, August 22, 2017 4:19:40 PM

@Tratcher and I discovered that GetExpressionLength in HttpRuleParser allows invalid characters (including control characters in expressions. GetExpressionLength mentions that we don't really care about the content of a quoted string, however it seems appropriate that if a quoted string has an invalid character, it should throw on parsing here, not in Kestrel (or whatever server).

This would be a breaking change, as it would introduce a new place where an exception is thrown, however it is probably the right behavior.

Copied from original issue: aspnet/HttpAbstractions#923

Contributor guide