CookieHeaderParserShared throws exception when last cookie contains invalid character #45014
Comments
|
It's probably coming from this line: I wonder why TryParseValue didn't return false? Would you like to contribute a fix for this? |
Tratcher
added
help wanted
|
Hi @Tratcher, I would like to try to fix it as my first contribution if it is not a problem. |
|
@korteksz sure, first write the test and use that to figure out what the root issue is. |
I think the problem is that if you have a cookie like Update: |
|
@korteksz If you've got questions about the implementation, feel free to drop them here. Or you can just open a pull request with your proposed change (and include a test) and the team will review it and give you feedback. Guidance for how to do that is here: https://github.com/dotnet/aspnetcore/blob/main/CONTRIBUTING.md#how-to-submit-a-pr Thanks for contributing! |
….TryParseValues() method to prevent parsing strings wrong which contain separator characters. Reported by this issue: dotnet#45014
…erShared.TryParseValues() method to prevent parsing strings wrong which contain separator characters. Reported by this issue: dotnet#45014" This reverts commit a5ee158.
|
Same issue in .NET 7.0.1. |
|
The PR #45127 disappeared in the release .NET 7.0.1, please see CookieHeaderParserShared.cs#L29 |
|
@cnblogs-dudu this was only fixed in 8.0, not 7.0. Bug fixes are not automatically backported, you'd need to demonstrate that this issue is blocking your development. Do you understand why this cookie has invalid data, and how to avoid it or work around it? |
|
@Tratcher There are lots of |
|
I got same issue Could you please release a fix version in .NET 7!! @Tratcher |
|
Noisy error logs are not sufficient justification for a patch. There needs to be a functional business impact. A) Are these legitimate requests? It should be possible to work around this by checking the cookie header first for known invalid data and removing it or terminating the request. |
ghost
locked as resolved and limited conversation to collaborators
amcasey
added
area-networking
Is there an existing issue for this?
Describe the bug
Cookie String: keya=valuea; keyb=valueb; errorcookie=dd,:("sa;
the last part of cookie string above is an invalid cookie and the whole cookie string ends with
;,this will throw exception like below, and all cookies fails to be read.Exception: Nullable object must have a value.
at Microsoft.Net.Http.Headers.CookieHeaderParserShared.TryParseValues(StringValues values, IDictionary`2 store, Boolean enableCookieNameEncoding, Boolean supportsMultipleValues)
at Microsoft.AspNetCore.Http.RequestCookieCollection.ParseInternal(StringValues values, Boolean enableCookieNameEncoding)
at Microsoft.AspNetCore.Http.Features.RequestCookiesFeature.get_Cookies()
... try get value from cookies
Cookie String: keya=valuea; keyb=valueb; errorcookie=dd,:("sa
the last part of this cookie string above is an invalid cookie and the whole cookie string ends without
;,this will not throw exception, the parser will ignoreerrorcookieExpected Behavior
error cookie be ignored, and normal cookie still readable.
Steps To Reproduce
No response
Exceptions (if any)
Nullable object must have a value.
at Microsoft.Net.Http.Headers.CookieHeaderParserShared.TryParseValues(StringValues values, IDictionary`2 store, Boolean enableCookieNameEncoding, Boolean supportsMultipleValues)
at Microsoft.AspNetCore.Http.RequestCookieCollection.ParseInternal(StringValues values, Boolean enableCookieNameEncoding)
at Microsoft.AspNetCore.Http.Features.RequestCookiesFeature.get_Cookies()
.NET Version
7.0
Anything else?
visual studio 2022 17.4.0
The text was updated successfully, but these errors were encountered: