[WinHTTP] Validate header values for ASCII #116256
Conversation
dotnet-policy-service
bot
added
the
linkable-framework
MihaZupan
added
area-System.Net.Http
and removed
linkable-framework
dotnet-policy-service
bot
added
the
linkable-framework
MihaZupan
removed
the
linkable-framework
dotnet-policy-service
bot
added
the
linkable-framework
Co-authored-by: ManickaP <11718369+ManickaP@users.noreply.github.com>
src/libraries/System.Net.Http.WinHttpHandler/src/System/Net/Http/WinHttpHandler.cs
Show resolved
Hide resolved
| { | ||
| if (!IsAscii(headers)) | ||
| { | ||
| throw new HttpRequestException("Request headers must contain only ASCII characters."); |
There was a problem hiding this comment.
The exception message should be in the resx.
There was a problem hiding this comment.
Moved the hardcoded exception message to the Strings.resx file and updated the code to use SR.net_http_headers_must_be_ascii. The message is now properly localized. 00a1e04
| { | ||
| for (int i = 0; i < value.Length; i++) | ||
| { | ||
| if (value[i] > 127) |
There was a problem hiding this comment.
@ManickaP, is restricting to ASCII correct, or should it support Latin-1?
There was a problem hiding this comment.
Yes, for historical reasons it should allow Latin-1. On the other hand, it should not allow "dangerous" controls like CR LF and NUL.
There was a problem hiding this comment.
Updated header validation to allow Latin-1 characters (0-255) instead of just ASCII (0-127) for historical reasons, while still blocking dangerous control characters (CR, LF, NUL). Changed validation approach to check individual header values rather than the serialized header string to avoid issues with protocol formatting. Commit ab6c173.
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
…king dangerous controls Co-authored-by: ManickaP <11718369+ManickaP@users.noreply.github.com>
|
After a discussion with @MihaZupan, closing this in favor of #116335. |
WinHttpHandler was passing headers to WinHTTP.dll without validating that header values contain only ASCII characters, unlike SocketsHttpHandler which performs this validation.
Changes
Added ASCII validation to
WinHttpHandler.AddRequestHeaders():IsAscii()helper method to check for ASCII characters (char <= 127)ValidateHeadersForAscii()method that throwsHttpRequestExceptionfor non-ASCII headersWinHttpCookieContainerAdapter.GetCookieHeader()requestMessage.Headers.ToString()requestMessage.Content.Headers.ToString()Added comprehensive tests:
SendAsync_RequestWithNonAsciiHeaderValue_ThrowsHttpRequestException()- validates rejection of non-ASCII request headersSendAsync_RequestWithAsciiHeaderValue_Succeeds()- validates ASCII headers work normallySendAsync_RequestWithNonAsciiContentHeader_ThrowsHttpRequestException()- validates rejection of non-ASCII content headersBehavior
Now throws
HttpRequestExceptionwith message "Request headers must contain only ASCII characters." when header values contain characters > 127, matching the behavior and security posture of SocketsHttpHandler.Testing
Fixes #115112.
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.