HttpRuleParser GetExpressionLength allows invalid characters. · dotnet/aspnetcore#2694

(1 comment) (0 reactions) (0 assignees)C# (37,933 stars) (10,653 forks)batch import

affected-fewarea-networkingbugfeature-http-abstractionshelp wantedseverity-minor

Description

From @jkotalik on Tuesday, August 22, 2017 4:19:40 PM

@Tratcher and I discovered that GetExpressionLength in HttpRuleParser allows invalid characters (including control characters in expressions. GetExpressionLength mentions that we don't really care about the content of a quoted string, however it seems appropriate that if a quoted string has an invalid character, it should throw on parsing here, not in Kestrel (or whatever server).

This would be a breaking change, as it would introduce a new place where an exception is thrown, however it is probably the right behavior.

Copied from original issue: aspnet/HttpAbstractions#923

Tech stack: csharp
Domain: backend
Issue type: bug
Difficulty: 3
Estimated time: 1-3 hours
Activity status: stale
Clarity: mostly clear
Prerequisites: understanding of HTTP parsingC# programming
Newbie friendliness: 30
Research direction: The issue is in the GetExpressionLength method in HttpRuleParser.cs. The method currently allows invalid characters in quoted strings. To fix, refer to RFC 7230 for valid characters, and consider adding validation that throws an exception for invalid characters. This is a breaking change, so review existing tests and discuss with maintainers. The file is located at src/Microsoft.Net.Http.Headers/HttpRuleParser.cs.