HttpRuleParser GetExpressionLength allows invalid characters. · dotnet/aspnetcore#2694

(1 评论) (0 反应) (0 负责人)C# (37,933 star) (10,653 fork)batch import

affected-fewarea-networkingbugfeature-http-abstractionshelp wantedseverity-minor

描述

From @jkotalik on Tuesday, August 22, 2017 4:19:40 PM

@Tratcher and I discovered that GetExpressionLength in HttpRuleParser allows invalid characters (including control characters in expressions. GetExpressionLength mentions that we don't really care about the content of a quoted string, however it seems appropriate that if a quoted string has an invalid character, it should throw on parsing here, not in Kestrel (or whatever server).

This would be a breaking change, as it would introduce a new place where an exception is thrown, however it is probably the right behavior.

Copied from original issue: aspnet/HttpAbstractions#923

技术栈: csharp
领域: backend
议题类型: bug
难度: 3
预计时间: 1-3 hours
活动状态: stale
清晰度: mostly clear
前置要求: understanding of HTTP parsingC# programming
新手友好度: 30
研究方向: The issue is in the GetExpressionLength method in HttpRuleParser.cs. The method currently allows invalid characters in quoted strings. To fix, refer to RFC 7230 for valid characters, and consider adding validation that throws an exception for invalid characters. This is a breaking change, so review existing tests and discuss with maintainers. The file is located at src/Microsoft.Net.Http.Headers/HttpRuleParser.cs.