HttpRuleParser GetExpressionLength allows invalid characters. · dotnet/aspnetcore#2694

(1 comment) (0 reactions) (0 assignees)C# (37,933 stars) (10,653 forks)batch import

affected-fewarea-networkingbugfeature-http-abstractionshelp wantedseverity-minor

説明

From @jkotalik on Tuesday, August 22, 2017 4:19:40 PM

@Tratcher and I discovered that GetExpressionLength in HttpRuleParser allows invalid characters (including control characters in expressions. GetExpressionLength mentions that we don't really care about the content of a quoted string, however it seems appropriate that if a quoted string has an invalid character, it should throw on parsing here, not in Kestrel (or whatever server).

This would be a breaking change, as it would introduce a new place where an exception is thrown, however it is probably the right behavior.

Copied from original issue: aspnet/HttpAbstractions#923

技術スタック: csharp
領域: backend
Issue 種別: bug
難度: 3
推定時間: 1-3 hours
活動状況: stale
明確さ: mostly clear
前提条件: understanding of HTTP parsingC# programming
初心者向け度: 30
調査方針: The issue is in the GetExpressionLength method in HttpRuleParser.cs. The method currently allows invalid characters in quoted strings. To fix, refer to RFC 7230 for valid characters, and consider adding validation that throws an exception for invalid characters. This is a breaking change, so review existing tests and discuss with maintainers. The file is located at src/Microsoft.Net.Http.Headers/HttpRuleParser.cs.