Avoid header manipultaion on "Access-Control-Allow-Headers" and "Access-Control-Allow-Methods"

dotnet/src/dotnetframework/GxClasses/Core/GXUtilsCommon.cs

@@ -510,7 +510,7 @@ public class StringUtil
 		static char[] numbersAndSep = new char[] { '1', '2', '3', '4', '5', '6', '7', '8', '9', '-' };
 		static char[] numbers = new char[] { '1', '2', '3', '4', '5', '6', '7', '8', '9' };
 		internal static Dictionary<char, char> LogUserEntryWhiteList = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789+-_=/[]{}\":, ".ToDictionary(item => item, item => item);
-		internal static Dictionary<char, char> HostWhiteList = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789./".ToDictionary(item => item, item => item);
+		internal static Dictionary<char, char> HttpHeaderWhiteList = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789./;-@(){}[]?,<>\\".ToDictionary(item => item, item => item);
 
 		internal static string Sanitize(string input, Dictionary<char, char> WhiteList)
 		{

dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs

@@ -132,10 +132,10 @@ static void CorsValuesToHeaders(OutgoingWebResponseContext httpResponse, string[
 			httpResponse.Headers[HeaderNames.AccessControlAllowCredentials] = true.ToString();
 
 			if (!string.IsNullOrEmpty(requestHeaders))
-				httpResponse.Headers[HeaderNames.AccessControlAllowHeaders] = requestHeaders;
+				httpResponse.Headers[HeaderNames.AccessControlAllowHeaders] = StringUtil.Sanitize(requestHeaders, StringUtil.HttpHeaderWhiteList);
 
 			if (!string.IsNullOrEmpty(requestMethods))
-				httpResponse.Headers[HeaderNames.AccessControlAllowMethods] = requestMethods;
+				httpResponse.Headers[HeaderNames.AccessControlAllowMethods] = StringUtil.Sanitize(requestMethods, StringUtil.HttpHeaderWhiteList);
 
 			httpResponse.Headers[HeaderNames.AccessControlMaxAge] = CORS_MAX_AGE_SECONDS;
 
@@ -150,10 +150,10 @@ static void CorsValuesToHeaders(HttpResponseMessageProperty httpResponse, string
 			httpResponse.Headers[HeaderNames.AccessControlAllowCredentials] = true.ToString();
 
 			if (!string.IsNullOrEmpty(requestHeaders))
-				httpResponse.Headers[HeaderNames.AccessControlAllowHeaders] = requestHeaders;
+				httpResponse.Headers[HeaderNames.AccessControlAllowHeaders] = StringUtil.Sanitize(requestHeaders, StringUtil.HttpHeaderWhiteList);
 
 			if (!string.IsNullOrEmpty(requestMethods))
-				httpResponse.Headers[HeaderNames.AccessControlAllowMethods] = requestMethods;
+				httpResponse.Headers[HeaderNames.AccessControlAllowMethods] = StringUtil.Sanitize(requestMethods, StringUtil.HttpHeaderWhiteList);
 
 			httpResponse.Headers[HeaderNames.AccessControlMaxAge] = CORS_MAX_AGE_SECONDS;
 		}
@@ -170,10 +170,10 @@ static void CorsValuesToHeaders(HttpResponse httpResponse, string[] origins, str
 			httpResponse.AppendHeader(HeaderNames.AccessControlAllowCredentials, true.ToString());
 
 			if (!string.IsNullOrEmpty(requestHeaders))
-				httpResponse.AppendHeader(HeaderNames.AccessControlAllowHeaders, requestHeaders);
+				httpResponse.AppendHeader(HeaderNames.AccessControlAllowHeaders, StringUtil.Sanitize(requestHeaders, StringUtil.HttpHeaderWhiteList));
 
 			if (!string.IsNullOrEmpty(requestMethods))
-				httpResponse.AppendHeader(HeaderNames.AccessControlAllowMethods, requestMethods);
+				httpResponse.AppendHeader(HeaderNames.AccessControlAllowMethods, StringUtil.Sanitize(requestMethods, StringUtil.HttpHeaderWhiteList));
 
 			httpResponse.AppendHeader(HeaderNames.AccessControlMaxAge, CORS_MAX_AGE_SECONDS);
 		}
@@ -193,7 +193,7 @@ public static void SetResponseStatus(HttpContext httpContext, HttpStatusCode htt
 			{
 				wcfcontext.OutgoingResponse.StatusCode = httpStatusCode;
 				if (httpStatusCode==HttpStatusCode.Unauthorized){
-					wcfcontext.OutgoingResponse.Headers.Add(HttpHeader.AUTHENTICATE_HEADER, OatuhUnauthorizedHeader(StringUtil.Sanitize(wcfcontext.IncomingRequest.Headers["Host"],StringUtil.HostWhiteList), httpStatusCode.ToString(INT_FORMAT), string.Empty));
+					wcfcontext.OutgoingResponse.Headers.Add(HttpHeader.AUTHENTICATE_HEADER, OatuhUnauthorizedHeader(StringUtil.Sanitize(wcfcontext.IncomingRequest.Headers["Host"],StringUtil.HttpHeaderWhiteList), httpStatusCode.ToString(INT_FORMAT), string.Empty));
 				}
 				if (!string.IsNullOrEmpty(statusDescription))
 					wcfcontext.OutgoingResponse.StatusDescription = statusDescription.Replace(Environment.NewLine, string.Empty);
@@ -211,7 +211,7 @@ public static void SetResponseStatus(HttpContext httpContext, HttpStatusCode htt
 #endif
 				if (httpStatusCode == HttpStatusCode.Unauthorized)
 				{
-					httpContext.Response.Headers[HttpHeader.AUTHENTICATE_HEADER] = HttpHelper.OatuhUnauthorizedHeader(StringUtil.Sanitize(httpContext.Request.Headers["Host"], StringUtil.HostWhiteList), httpStatusCode.ToString(INT_FORMAT), string.Empty);
+					httpContext.Response.Headers[HttpHeader.AUTHENTICATE_HEADER] = HttpHelper.OatuhUnauthorizedHeader(StringUtil.Sanitize(httpContext.Request.Headers["Host"], StringUtil.HttpHeaderWhiteList), httpStatusCode.ToString(INT_FORMAT), string.Empty);
 				}
 
 #if !NETCORE
@@ -447,7 +447,6 @@ public static string[] GetParameterValues(string query)
 				return query.Split(',');
 			}
 		}
-
 		internal static void AllowHeader(HttpContext httpContext, List<string> methods)
 		{
 			httpContext.Response.AppendHeader(HeaderNames.Allow, string.Join(",", methods));