Skip to content

provide xml doc on IFormFile.FileName for user attention #64660

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
DeagleGross merged 3 commits into from
Dec 5, 2025
Merged

provide xml doc on IFormFile.FileName for user attention #64660

DeagleGross merged 3 commits into from
Dec 5, 2025
+10 −0

Conversation

@DeagleGross
Copy link
Member

@DeagleGross DeagleGross commented Dec 5, 2025

Describes that FileName should not be used directly as per doc. Raises user attention when using Filename directly

Copilot AI review requested due to automatic review settings December 5, 2025 10:16
@github-actions github-actions bot added the area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions label Dec 5, 2025
@DeagleGross DeagleGross enabled auto-merge (squash) December 5, 2025 10:16
Copilot finished reviewing on behalf of DeagleGross December 5, 2025 10:18
Copilot AI reviewed Dec 5, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds important security guidance to the IFormFile.FileName property documentation, warning developers about potential security risks when using the file name from untrusted sources. The documentation aligns with official ASP.NET Core security best practices.

  • Adds XML <remarks> section warning against using FileName for anything other than display/logging
  • Includes security guidance about HTML encoding and path manipulation risks
  • Provides a code example demonstrating how to sanitize file names

DeagleGross and others added 2 commits December 5, 2025 11:27
@DeagleGross
Update src/Http/Http.Features/src/IFormFile.cs
84c2258 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@DeagleGross
Update src/Http/Http.Features/src/IFormFile.cs
dee0a9a 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@DeagleGross DeagleGross merged commit a5f5e0a into main Dec 5, 2025
30 checks passed
@DeagleGross DeagleGross deleted the dmkorolev/formfile-doc branch December 5, 2025 18:24
@dotnet-policy-service dotnet-policy-service bot added this to the 11.0-preview1 milestone Dec 5, 2025
@dotnet-maestro dotnet-maestro bot mentioned this pull request Dec 6, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@BrennanConroy BrennanConroy BrennanConroy approved these changes

@halter73 halter73 Awaiting requested review from halter73 halter73 is a code owner

@captainsafia captainsafia Awaiting requested review from captainsafia captainsafia is a code owner

Assignees

No one assigned

Labels

area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions

Projects

None yet

Milestone

11.0-preview1

Development

Successfully merging this pull request may close these issues.

3 participants

@DeagleGross @BrennanConroy