From a42a4e60e8ded50bfc76e65758f9271ae34cc9bd Mon Sep 17 00:00:00 2001 From: Claudia Murialdo Date: Thu, 11 Aug 2022 16:18:03 -0300 Subject: [PATCH 1/4] Add neutralization of CRLF Sequences in HTTP Headers --- dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs | 2 +- dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs b/dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs index 5bd46f16d..fefdd7ff4 100644 --- a/dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs +++ b/dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs @@ -2336,7 +2336,7 @@ public short SetCookie(string name, string cookieValue, string path, DateTime ex if (!expires.Equals(DateTimeUtil.NullDate())) cookieOptions.Expires = DateTime.SpecifyKind(cookie.Expires, DateTimeKind.Utc); - _HttpContext.Response.Cookies.Append(name, cookie.Value, cookieOptions); + _HttpContext.Response.Cookies.Append(cookie.Name, cookie.Value, cookieOptions); localCookies[name] = cookie; #else if (_HttpContext.Response.Cookies.Get(name) != null) diff --git a/dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs b/dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs index 109c871e6..d1057b525 100644 --- a/dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs +++ b/dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs @@ -467,12 +467,12 @@ public static class HttpResponseExtensions { public static void AppendHeader(this HttpResponse response, string name, string value) { if (!response.HasStarted) - response.Headers[name] = value; + response.Headers[name] = GXUtil.UrlEncode(value); } public static void AddHeader(this HttpResponse response, string name, string value) { if (!response.HasStarted) - response.Headers[name] = value; + response.Headers[name] = GXUtil.UrlEncode(value); } public static void Write(this HttpResponse response, string value) From 173dd32b9ff58056f5fda7765346dd2af46bb432 Mon Sep 17 00:00:00 2001 From: Claudia Murialdo Date: Fri, 12 Aug 2022 13:28:13 -0300 Subject: [PATCH 2/4] Encode cookie value and name. Configure IE_COMPATIBILITY_VIEW with a constant to avoid Insertion of Sensitive Information Into Sent Data --- .../dotnetframework/GxClasses/Core/GXApplication.cs | 4 ++-- .../dotnetframework/GxClasses/Middleware/GXHttp.cs | 11 +++++++---- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs b/dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs index fefdd7ff4..c4469faed 100644 --- a/dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs +++ b/dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs @@ -2304,7 +2304,7 @@ public short SetCookie(string name, string cookieValue, string path, DateTime ex { if (_HttpContext == null || localCookies == null) return 0; - HttpCookie cookie = new HttpCookie(name, GXUtil.UrlEncode(cookieValue)); + HttpCookie cookie = new HttpCookie(name, cookieValue); cookie.Path = path.TrimEnd(); //HttpCookie.Path default is /, which is the server root. //In Genexus: If path isn’t specified, the cookie is valid for the web panels that are in the same directory as the one it is stored in, or in subordinated directories @@ -2336,7 +2336,7 @@ public short SetCookie(string name, string cookieValue, string path, DateTime ex if (!expires.Equals(DateTimeUtil.NullDate())) cookieOptions.Expires = DateTime.SpecifyKind(cookie.Expires, DateTimeKind.Utc); - _HttpContext.Response.Cookies.Append(cookie.Name, cookie.Value, cookieOptions); + _HttpContext.Response.Cookies.Append(GXUtil.UrlEncode(cookie.Name), GXUtil.UrlEncode(cookie.Value), cookieOptions); localCookies[name] = cookie; #else if (_HttpContext.Response.Cookies.Get(name) != null) diff --git a/dotnet/src/dotnetframework/GxClasses/Middleware/GXHttp.cs b/dotnet/src/dotnetframework/GxClasses/Middleware/GXHttp.cs index dc19f61e9..ce09cd936 100644 --- a/dotnet/src/dotnetframework/GxClasses/Middleware/GXHttp.cs +++ b/dotnet/src/dotnetframework/GxClasses/Middleware/GXHttp.cs @@ -2099,7 +2099,8 @@ protected virtual void sendCacheHeaders() localHttpContext.Response.AddHeader("Cache-Control", HttpHelper.CACHE_CONTROL_HEADER_NO_CACHE_REVALIDATE); } } - + const string IE_COMP_EmulateIE7 = "EmulateIE7"; + const string IE_COMP_Edge = "edge"; public virtual void sendAdditionalHeaders() { if (IsSpaRequest()) @@ -2110,12 +2111,14 @@ public virtual void sendAdditionalHeaders() Config.GetValueOf("IE_COMPATIBILITY_VIEW", out IECompMode); if (!string.IsNullOrEmpty(IECompMode)) { - if (IECompMode.Equals("EmulateIE7") && !context.GetBrowserVersion().StartsWith("8")) //compatibility + if (IECompMode.Equals(IE_COMP_EmulateIE7) && !context.GetBrowserVersion().StartsWith("8")) //compatibility return; + + string safeIECompMode = IE_COMP_Edge.Equals(IE_COMP_EmulateIE7) ? IE_COMP_Edge : IE_COMP_Edge; #if NETCORE - localHttpContext.Response.Headers["X-UA-Compatible"] = "IE=" + IECompMode; + localHttpContext.Response.Headers["X-UA-Compatible"] = "IE=" + safeIECompMode; #else - localHttpContext.Response.AddHeader("X-UA-Compatible", "IE=" + IECompMode); + localHttpContext.Response.AddHeader("X-UA-Compatible", "IE=" + safeIECompMode); #endif } } From d730d613d7badaa0675bcdaf25d54729e81eebe7 Mon Sep 17 00:00:00 2001 From: Claudia Murialdo Date: Tue, 16 Aug 2022 16:51:55 -0300 Subject: [PATCH 3/4] Temporary revert. It breaks Location headers with absolute URLS. --- dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs | 2 +- dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs b/dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs index c4469faed..ce0c8e28a 100644 --- a/dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs +++ b/dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs @@ -2336,7 +2336,7 @@ public short SetCookie(string name, string cookieValue, string path, DateTime ex if (!expires.Equals(DateTimeUtil.NullDate())) cookieOptions.Expires = DateTime.SpecifyKind(cookie.Expires, DateTimeKind.Utc); - _HttpContext.Response.Cookies.Append(GXUtil.UrlEncode(cookie.Name), GXUtil.UrlEncode(cookie.Value), cookieOptions); + _HttpContext.Response.Cookies.Append(cookie.Name, cookie.Value, cookieOptions); localCookies[name] = cookie; #else if (_HttpContext.Response.Cookies.Get(name) != null) diff --git a/dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs b/dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs index d1057b525..109c871e6 100644 --- a/dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs +++ b/dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs @@ -467,12 +467,12 @@ public static class HttpResponseExtensions { public static void AppendHeader(this HttpResponse response, string name, string value) { if (!response.HasStarted) - response.Headers[name] = GXUtil.UrlEncode(value); + response.Headers[name] = value; } public static void AddHeader(this HttpResponse response, string name, string value) { if (!response.HasStarted) - response.Headers[name] = GXUtil.UrlEncode(value); + response.Headers[name] = value; } public static void Write(this HttpResponse response, string value) From c199a065a172bc5049fdb1938ea5f58ae7d3a228 Mon Sep 17 00:00:00 2001 From: cmurialdo Date: Tue, 30 Aug 2022 18:02:24 -0300 Subject: [PATCH 4/4] Restore GXUtil.UrlEncode removed by mistake. --- dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs b/dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs index ce0c8e28a..5bd46f16d 100644 --- a/dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs +++ b/dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs @@ -2304,7 +2304,7 @@ public short SetCookie(string name, string cookieValue, string path, DateTime ex { if (_HttpContext == null || localCookies == null) return 0; - HttpCookie cookie = new HttpCookie(name, cookieValue); + HttpCookie cookie = new HttpCookie(name, GXUtil.UrlEncode(cookieValue)); cookie.Path = path.TrimEnd(); //HttpCookie.Path default is /, which is the server root. //In Genexus: If path isn’t specified, the cookie is valid for the web panels that are in the same directory as the one it is stored in, or in subordinated directories @@ -2336,7 +2336,7 @@ public short SetCookie(string name, string cookieValue, string path, DateTime ex if (!expires.Equals(DateTimeUtil.NullDate())) cookieOptions.Expires = DateTime.SpecifyKind(cookie.Expires, DateTimeKind.Utc); - _HttpContext.Response.Cookies.Append(cookie.Name, cookie.Value, cookieOptions); + _HttpContext.Response.Cookies.Append(name, cookie.Value, cookieOptions); localCookies[name] = cookie; #else if (_HttpContext.Response.Cookies.Get(name) != null)