Ensure System.Uri consistently uses the correct RFC 3986 reserved character set (#26006)

Resolve an issue with System.Uri where certain percent encoded characters that should be left as-is are decoded, but only when the URI also contains Unicode or an encoded non-reserved symbol. 

This issue was left over after the URI reserved character set was upgraded from RFC 2396 to RFC 3986. In several places the upgrade was missed, resulting in certain code paths still using the old reserved character set. 

This fix updates places where the RFC 2396 set was still being used, and adds tests to ensure this behavior is consistent. It also retains the code used for quirking in .Net Framework, but always enables the new behavior instead of checking an AppContextSwitch. 

This fix has been ported from .NET Framework.

Author: rmkerr

src/System.Private.Uri/src/System/IriHelper.cs

@@ -95,11 +95,12 @@ internal static bool CheckIsReserved(char ch, UriComponents component)
             {
                 return (component == (UriComponents)0) ? UriHelper.IsGenDelim(ch) : false;
             }
-            else
+            else if (UriParser.DontEnableStrictRFC3986ReservedCharacterSets)
             {
+                // Since we aren't enabling strict RFC 3986 reserved sets, we stick with the old behavior
+                // (for app-compat) which was a broken mix of RFCs 2396 and 3986.
                 switch (component)
                 {
-                    // Reserved chars according to RFC 3987
                     case UriComponents.UserInfo:
                         if (ch == '/' || ch == '?' || ch == '#' || ch == '[' || ch == ']' || ch == '@')
                             return true;
@@ -125,6 +126,10 @@ internal static bool CheckIsReserved(char ch, UriComponents component)
                 }
                 return false;
             }
+            else
+            {
+                return (UriHelper.RFC3986ReservedMarks.IndexOf(ch) >= 0);
+            }
         }
 
         //

src/System.Private.Uri/src/System/UriHelper.cs

@@ -657,29 +657,44 @@ internal static char EscapedAscii(char digit, char next)
                        + 10)));
         }
 
-        // Do not unescape these in safe mode:
-        // 1)  reserved    = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+" | "$" | ","
-        // 2)  excluded = control | "#" | "%" | "\"
+        internal const string RFC3986ReservedMarks = @";/?:@&=+$,#[]!'()*";
+        private const string RFC2396ReservedMarks = @";/?:@&=+$,";
+        private const string RFC3986UnreservedMarks = @"-_.~";
+        private const string RFC2396UnreservedMarks = @"-_.~*'()!";
+        private const string AdditionalUnsafeToUnescape = @"%\#";// While not specified as reserved, these are still unsafe to unescape.
+
+        // When unescaping in safe mode, do not unescape the RFC 3986 reserved set:
+        // gen-delims  = ":" / "/" / "?" / "#" / "[" / "]" / "@"
+        // sub-delims  = "!" / "$" / "&" / "'" / "(" / ")"
+        //             / "*" / "+" / "," / ";" / "="
         //
-        // That will still give plenty characters unescaped by SafeUnesced mode such as
-        // 1) Unicode characters
-        // 2) Unreserved = alphanum | "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
-        // 3) DelimitersAndUnwise = "<" | ">" |  <"> | "{" | "}" | "|" | "^" | "[" | "]" | "`"
+        // In addition, do not unescape the following unsafe characters:
+        // excluded    = "%" / "\"
+        //
+        // This implementation used to use the following variant of the RFC 2396 reserved set. 
+        // That behavior is now disabled by default, and is controlled by a UriSyntax property. 
+        // reserved    = ";" | "/" | "?" | "@" | "&" | "=" | "+" | "$" | ","
+        // excluded    = control | "#" | "%" | "\"
         internal static bool IsNotSafeForUnescape(char ch)
         {
             if (ch <= '\x1F' || (ch >= '\x7F' && ch <= '\x9F'))
+            {
                 return true;
-            else if ((ch >= ';' && ch <= '@' && (ch | '\x2') != '>') ||
-                     (ch >= '#' && ch <= '&') ||
-                     ch == '+' || ch == ',' || ch == '/' || ch == '\\')
+            }
+            else if (UriParser.DontEnableStrictRFC3986ReservedCharacterSets)
+            {
+                if ((ch != ':' && (RFC2396ReservedMarks.IndexOf(ch) >= 0) || (AdditionalUnsafeToUnescape.IndexOf(ch) >= 0)))
+                {
+                    return true;
+                }
+            }
+            else if ((RFC3986ReservedMarks.IndexOf(ch) >= 0) || (AdditionalUnsafeToUnescape.IndexOf(ch) >= 0))
+            {
                 return true;
-
+            }
             return false;
         }
 
-        private const string RFC3986ReservedMarks = @":/?#[]@!$&'()*+,;=";
-        private const string RFC3986UnreservedMarks = @"-._~";
-
         private static unsafe bool IsReservedUnreservedOrHash(char c)
         {
             if (IsUnreserved(c))

src/System.Private.Uri/src/System/UriSyntax.cs

@@ -100,6 +100,15 @@ public abstract partial class UriParser
 
         internal static UriParser VsMacrosUri;
 
+        internal static bool DontEnableStrictRFC3986ReservedCharacterSets
+        {
+            // In .NET Framework this would test against an AppContextSwitch. Since this is a potentially
+            // breaking change, we'll leave in the system used to disable it.
+            get
+            {
+                return false;
+            }
+        }
 
         static UriParser()
         {

src/System.Private.Uri/tests/FunctionalTests/IriEncodingDecodingTests.cs

@@ -0,0 +1,154 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+using System.Reflection;
+using System.Text;
+
+using Xunit;
+
+namespace System.PrivateUri.Tests
+{
+    public class IriEncodingDecodingTest
+    {
+        // This array contains potentially problematic URI data strings and their canonical encoding.
+        private static string[,] RFC3986CompliantDecoding =
+        {
+            { "%3B%2F%3F%3A%40%26%3D%2B%24%2C", "%3B%2F%3F%3A%40%26%3D%2B%24%2C" }, // Encoded RFC 2396 Reserved Marks.
+            { @"-_.~", @"-_.~" }, // RFC3986 Unreserved Marks.
+            { "%2D%5F%2E%7E", @"-_.~" }, // Encoded RFC 3986 Unreserved Marks.
+            { "%2F%3F%3A%40%23%5B%5D", "%2F%3F%3A%40%23%5B%5D" }, // Encoded RFC 3986 Gen Delims.
+            { @";&=+$,!'()*", @";&=+$,!'()*" }, // RFC 3986 Sub Delims.
+            { "%3B%26%3D%2B%24%2C%21%27%28%29%2A", "%3B%26%3D%2B%24%2C%21%27%28%29%2A" } // Encoded RFC3986 Sub Delims.
+        };
+
+        [Fact]
+        [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework, "Requires fix shipping in .NET 4.7.2")]
+        public void AbsoluteUri_DangerousPathSymbols_RFC3986CompliantAbsoluteUri()
+        {
+            Uri uri;
+            string baseUri = "http://a/%C3%88/";
+            for (int i = 0; i < RFC3986CompliantDecoding.GetLength(0); i++)
+            {
+                string sourceStr = baseUri + RFC3986CompliantDecoding[i, 0];
+                uri = new Uri(sourceStr);
+                Assert.Equal(baseUri + RFC3986CompliantDecoding[i, 1], uri.AbsoluteUri);
+            }
+        }
+
+        [Fact]
+        [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework, "Requires fix shipping in .NET 4.7.2")]
+        public void AbsolutePath_DangerousPathSymbols_RFC3986CompliantAbsolutePath()
+        {
+            Uri uri;
+            string host = "http://a";
+            string path = "/%C3%88/";
+            for (int i = 0; i < RFC3986CompliantDecoding.GetLength(0); i++)
+            {
+                string sourceStr = host + path + RFC3986CompliantDecoding[i, 0];
+                uri = new Uri(sourceStr);
+                Assert.Equal(path + RFC3986CompliantDecoding[i, 1], uri.AbsolutePath);
+            }
+        }
+
+        [Fact]
+        [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework, "Requires fix shipping in .NET 4.7.2")]
+        public void Segments_DangerousPathSymbols_RFC3986CompliantPathSegments()
+        {
+            Uri uri;
+            string host = "http://a";
+            string path = "/%C3%88/";
+            for (int i = 0; i < RFC3986CompliantDecoding.GetLength(0); i++)
+            {
+                string sourceStr = host + path + RFC3986CompliantDecoding[i, 0];
+                uri = new Uri(sourceStr);
+                Assert.Equal(path + RFC3986CompliantDecoding[i, 1], String.Join(String.Empty, uri.Segments));
+            }
+        }
+
+        [Fact]
+        [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework, "Requires fix shipping in .NET 4.7.2")]
+        public void Equality_DangerousPathSymbols_RFC3986CompliantEquality()
+        {
+            string baseUri = "http://a/%C3%88/";
+            for (int i = 0; i < RFC3986CompliantDecoding.GetLength(0); i++)
+            {
+                Uri uri1 = new Uri(baseUri + RFC3986CompliantDecoding[i, 0]);
+                Uri uri2 = new Uri(baseUri + RFC3986CompliantDecoding[i, 1]);
+                Assert.Equal(uri1, uri2);
+            }
+        }
+
+        [Fact]
+        [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework, "Requires fix shipping in .NET 4.7.2")]
+        public void PathAndQuery_DangerousQuerySymbols_RFC3986CompliantPathAndQuery()
+        {
+            Uri uri;
+            string host = "http://a";
+            string path = "/%C3%88/";
+            for (int i = 0; i < RFC3986CompliantDecoding.GetLength(0); i++)
+            {
+                string sourceStr = host + path + "?" + RFC3986CompliantDecoding[i, 0];
+                uri = new Uri(sourceStr);
+                Assert.Equal(path + "?" + RFC3986CompliantDecoding[i, 1], uri.PathAndQuery);
+            }
+        }
+
+        [Fact]
+        [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework, "Requires fix shipping in .NET 4.7.2")]
+        public void Query_DangerousQuerySymbols_RFC3986CompliantQuery()
+        {
+            Uri uri;
+            string baseUri = "http://a/%C3%88/";
+            for (int i = 0; i < RFC3986CompliantDecoding.GetLength(0); i++)
+            {
+                string sourceStr = baseUri + "?" + RFC3986CompliantDecoding[i, 0];
+                uri = new Uri(sourceStr);
+                Assert.Equal("?" + RFC3986CompliantDecoding[i, 1], uri.Query);
+            }
+        }
+
+        [Fact]
+        [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework, "Requires fix shipping in .NET 4.7.2")]
+        public void Equality_DangerousQuerySymbols_RFC3986CompliantEquality()
+        {
+            string baseUri = "http://a/%C3%88/";
+            for (int i = 0; i < RFC3986CompliantDecoding.GetLength(0); i++)
+            {
+                Uri uriTest = new Uri(baseUri + "?" + RFC3986CompliantDecoding[i, 0]);
+                Uri uriTest1 = new Uri(baseUri + "?" + RFC3986CompliantDecoding[i, 1]);
+                Assert.Equal(uriTest, uriTest1);
+            }
+        }
+
+        [Fact]
+        [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework, "Requires fix shipping in .NET 4.7.2")]
+        public void Fragment_DangerousFragmentSymbols_RFC3986CompliantFragment()
+        {
+            Uri uri;
+            string baseUri = "http://a/%C3%88/";
+            for (int i = 0; i < RFC3986CompliantDecoding.GetLength(0); i++)
+            {
+                string sourceStr = baseUri + "#" + RFC3986CompliantDecoding[i, 0];
+                uri = new Uri(sourceStr);
+                Assert.Equal("#" + RFC3986CompliantDecoding[i, 1], uri.Fragment);
+            }
+        }
+
+        [Fact]
+        [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework, "Requires fix shipping in .NET 4.7.2")]
+        public void UserInfo_DangerousUserInfoSymbols_RFC3986CompliantUserInfo()
+        {
+            Uri uri;
+            string baseUri = "http://";
+            string host = "a";
+            string path = "/%C3%88/";
+            for (int i = 0; i < RFC3986CompliantDecoding.GetLength(0); i++)
+            {
+                string sourceStr = baseUri + RFC3986CompliantDecoding[i, 0] + "@" + host + path;
+                uri = new Uri(sourceStr);
+                Assert.Equal(RFC3986CompliantDecoding[i, 1], uri.UserInfo);
+            }
+        }
+    }
+}

src/System.Private.Uri/tests/FunctionalTests/IriTest.cs

@@ -403,54 +403,55 @@ private string EscapeUnescapeTestComponent(string uriInput, UriComponents compon
 
         /// <summary>
         /// First column contains input characters found to be potential issues with the current implementation.
-        /// The second column contains the current (.Net 4.5.2) Uri behavior for Uri normalization.
+        /// The second column contains the current (.Net Core 2.1/Framework 4.7.2) Uri behavior for Uri normalization.
         /// </summary>
         private static string[,] s_checkIsReservedEscapingStrings =
         {
-            // : [ ] in host
+            // : [ ] in host.
             {"http://user@ser%3Aver.srv:123/path/path/resource.ext?query=expression#fragment", null},
             {"http://user@server.srv%3A999/path/path/resource.ext?query=expression#fragment", null},
             {"http://user@server.%5Bsrv:123/path/path/resource.ext?query=expression#fragment", null},
             {"http://user@ser%5Dver.srv:123/path/path/resource.ext?query=expression#fragment", null},
 
-            // [ ] in userinfo
-            {"http://us%5Ber@server.srv:123/path/path/resource.ext?query=expression#fragment",
+            // [ ] in userinfo.
+            {"http://us%5Ber@server.srv:123/path/path/resource.ext?query=expression#fragment",  
                 "http://us%5Ber@server.srv:123/path/path/resource.ext?query=expression#fragment"},
-            {"http://u%5Dser@server.srv:123/path/path/resource.ext?query=expression#fragment",
+            {"http://u%5Dser@server.srv:123/path/path/resource.ext?query=expression#fragment", 
                 "http://u%5Dser@server.srv:123/path/path/resource.ext?query=expression#fragment"},
-            {"http://us%5B%5Der@server.srv:123/path/path/resource.ext?query=expression#fragment",
+            {"http://us%5B%5Der@server.srv:123/path/path/resource.ext?query=expression#fragment", 
                 "http://us%5B%5Der@server.srv:123/path/path/resource.ext?query=expression#fragment"},
 
-            // [ ] in path
-            {"http://user@server.srv:123/path/pa%5Bth/resource.ext?query=expression#fragment",
-                "http://user@server.srv:123/path/pa[th/resource.ext?query=expression#fragment"},
-            {"http://user@server.srv:123/pa%5Dth/path%5D/resource.ext?query=expression#fragment",
-                "http://user@server.srv:123/pa]th/path]/resource.ext?query=expression#fragment"},
-            {"http://user@server.srv:123/path/p%5Ba%5Dth/resource.ext?query=expression#fragment",
-                "http://user@server.srv:123/path/p[a]th/resource.ext?query=expression#fragment"},
+            // [ ] : ' in path.
+            {"http://user@server.srv:123/path/pa%5B%3A%27th/resource.ext?query=expression#fragment", 
+                "http://user@server.srv:123/path/pa%5B%3A%27th/resource.ext?query=expression#fragment"},
+            {"http://user@server.srv:123/pa%5D%3A%27th/path%5D%3A%27/resource.ext?query=expression#fragment", 
+                "http://user@server.srv:123/pa%5D%3A%27th/path%5D%3A%27/resource.ext?query=expression#fragment"},
+            {"http://user@server.srv:123/path/p%5B%3A%27a%5D%3A%27th/resource.ext?query=expression#fragment", 
+                "http://user@server.srv:123/path/p%5B%3A%27a%5D%3A%27th/resource.ext?query=expression#fragment"},
 
-            // [ ] in query
-            {"http://user@server.srv:123/path/path/resource.ext?que%5Bry=expression#fragment",
-                "http://user@server.srv:123/path/path/resource.ext?que[ry=expression#fragment"},
-            {"http://user@server.srv:123/path/path/resource.ext?query=exp%5Dression#fragment",
-                "http://user@server.srv:123/path/path/resource.ext?query=exp]ression#fragment"},
-            {"http://user@server.srv:123/path/path/resource.ext?que%5Bry=exp%5Dression#fragment",
-                "http://user@server.srv:123/path/path/resource.ext?que[ry=exp]ression#fragment"},
+            // [ ] : ' in query.
+            {"http://user@server.srv:123/path/path/resource.ext?que%5B%3A%27ry=expression#fragment",
+                "http://user@server.srv:123/path/path/resource.ext?que%5B%3A%27ry=expression#fragment"},
+            {"http://user@server.srv:123/path/path/resource.ext?query=exp%5D%3A%27ression#fragment",
+                "http://user@server.srv:123/path/path/resource.ext?query=exp%5D%3A%27ression#fragment"},
+            {"http://user@server.srv:123/path/path/resource.ext?que%5B%3A%27ry=exp%5D%3A%27ression#fragment",
+                "http://user@server.srv:123/path/path/resource.ext?que%5B%3A%27ry=exp%5D%3A%27ression#fragment"},
 
-            // [ ] in fragment
-            {"http://user@server.srv:123/path/path/resource.ext?query=expression#fr%5Bagment",
-                "http://user@server.srv:123/path/path/resource.ext?query=expression#fr[agment"},
-            {"http://user@server.srv:123/path/path/resource.ext?query=expression#fragment%5D",
-                "http://user@server.srv:123/path/path/resource.ext?query=expression#fragment]"},
-            {"http://user@server.srv:123/path/path/resource.ext?query=expression#fr%5Bagment%5D",
-                "http://user@server.srv:123/path/path/resource.ext?query=expression#fr[agment]"}
+            // [ ] : ' in fragment.
+            {"http://user@server.srv:123/path/path/resource.ext?query=expression#fr%5B%3A%27agment",
+                "http://user@server.srv:123/path/path/resource.ext?query=expression#fr%5B%3A%27agment"},
+            {"http://user@server.srv:123/path/path/resource.ext?query=expression#fragment%5D%3A%27",
+                "http://user@server.srv:123/path/path/resource.ext?query=expression#fragment%5D%3A%27"},
+            {"http://user@server.srv:123/path/path/resource.ext?query=expression#fr%5B%3A%27agment%5D%3A%27",
+                "http://user@server.srv:123/path/path/resource.ext?query=expression#fr%5B%3A%27agment%5D%3A%27"}
         };
 
         /// <summary>
         /// This test validates behavior differences caused by the incorrect conditional expression found in function
         /// CheckIsReserved().
         /// </summary>
         [Fact]
+        [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework, "Requires fix shipping in .NET 4.7.2")]
         public void Iri_CheckIsReserved_EscapingBehavior()
         {
             for (int i = 0; i < s_checkIsReservedEscapingStrings.GetLength(0); i++)

src/System.Private.Uri/tests/FunctionalTests/System.Private.Uri.Functional.Tests.csproj

@@ -11,6 +11,7 @@
     <Compile Include="IdnCheckHostNameTest.cs" />
     <Compile Include="IdnDnsSafeHostTest.cs" />
     <Compile Include="IdnHostNameValidationTest.cs" />
+    <Compile Include="IriEncodingDecodingTests.cs" />
     <Compile Include="IriRelativeFileResolutionTest.cs" />
     <Compile Include="IriTest.cs" />
     <Compile Include="UriBuilderParameterTest.cs" />

src/System.Private.Uri/tests/FunctionalTests/UriEscapingTest.cs

@@ -321,13 +321,14 @@ public void UriAbsoluteEscaping_RFC2396Unreserved_NoEscaping()
         }
 
         [Fact]
-        public void UriAbsoluteUnEscaping_RFC2396UnreservedEscaped_AllUnescaped()
+        [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework, "Requires fix shipping in .NET 4.7.2")]
+        public void UriAbsoluteUnEscaping_RFC3986UnreservedEscaped_AllUnescaped()
         {
-            string escaped = Escape(RFC2396Unreserved);
+            string escaped = Escape(RFC3986Unreserved);
             string input = "http://" + AlphaNumeric.ToLowerInvariant() + "/" + escaped
                 + "?" + escaped + "#" + escaped;
-            string expectedOutput = "http://" + AlphaNumeric.ToLowerInvariant() + "/" + RFC2396Unreserved
-                + "?" + RFC2396Unreserved + "#" + RFC2396Unreserved;
+            string expectedOutput = "http://" + AlphaNumeric.ToLowerInvariant() + "/" + RFC3986Unreserved
+                + "?" + RFC3986Unreserved + "#" + RFC3986Unreserved;
 
             Uri testUri = new Uri(input);
             Assert.Equal(expectedOutput, testUri.AbsoluteUri);
@@ -398,12 +399,12 @@ public void UriAbsoluteEscaping_FullIPv6Uri_NothingEscaped()
         }
 
         [Fact]
+        [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework, "Requires fix shipping in .NET 4.7.2")]
         public void UriAbsoluteEscaping_SurrogatePair_LocaleIndependent()
         {
             string uriString = "http://contosotest.conto.soco.ntosoco.com/surrgtest()?$filter=";
-            string expectedString = uriString + "%E6%95%B0%E6%8D%AE%20eq%20" +
-                            "'%F0%A0%80%80%F0%A0%80%81%F0%A0%80%82%F0%A0%80%83%F0%AA%9B%91%F0%AA%9B" +
-                            "%92%F0%AA%9B%93%F0%AA%9B%94%F0%AA%9B%95%F0%AA%9B%96'";
+            string expectedString = uriString + "%E6%95%B0%E6%8D%AE%20eq%20%27%F0%A0%80%80%F0%A0%80%81%F0%A0%80%82%F0%A0%80%83%F0" + 
+                                                "%AA%9B%91%F0%AA%9B%92%F0%AA%9B%93%F0%AA%9B%94%F0%AA%9B%95%F0%AA%9B%96%27";
 
             using (ThreadCultureChange iriHelper = new ThreadCultureChange())
             {