Add new-line validation to Well-Known header parsing

Author: MihaZupan

src/libraries/System.Net.Http/src/System/Net/Http/Headers/AuthenticationHeaderValue.cs

@@ -38,6 +38,7 @@ public AuthenticationHeaderValue(string scheme)
         public AuthenticationHeaderValue(string scheme, string? parameter)
         {
             HeaderUtilities.CheckValidToken(scheme, nameof(scheme));
+            HttpHeaders.CheckContainsNewLine(parameter);
             _scheme = scheme;
             _parameter = parameter;
         }

src/libraries/System.Net.Http/src/System/Net/Http/Headers/HttpHeaders.cs

@@ -1076,7 +1076,7 @@ private bool TryGetHeaderDescriptor(string name, out HeaderDescriptor descriptor
             return false;
         }
 
-        private static void CheckContainsNewLine(string? value)
+        internal static void CheckContainsNewLine(string? value)
         {
             if (value == null)
             {

src/libraries/System.Net.Http/src/System/Net/Http/Headers/HttpRequestHeaders.cs

@@ -2,7 +2,6 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System.Diagnostics;
-using System.Diagnostics.CodeAnalysis;
 
 namespace System.Net.Http.Headers
 {
@@ -102,6 +101,8 @@ public string? From
                     value = null;
                 }
 
+                CheckContainsNewLine(value);
+
                 SetOrRemoveParsedValue(KnownHeaders.From.Descriptor, value);
             }
         }

src/libraries/System.Net.Http/src/System/Net/Http/Headers/MediaTypeHeaderParser.cs

@@ -7,7 +7,6 @@ namespace System.Net.Http.Headers
 {
     internal sealed class MediaTypeHeaderParser : BaseHeaderParser
     {
-        private readonly bool _supportsMultipleValues;
         private readonly Func<MediaTypeHeaderValue> _mediaTypeCreator;
 
         internal static readonly MediaTypeHeaderParser SingleValueParser = new MediaTypeHeaderParser(false, CreateMediaType);
@@ -18,8 +17,6 @@ private MediaTypeHeaderParser(bool supportsMultipleValues, Func<MediaTypeHeaderV
             : base(supportsMultipleValues)
         {
             Debug.Assert(mediaTypeCreator != null);
-
-            _supportsMultipleValues = supportsMultipleValues;
             _mediaTypeCreator = mediaTypeCreator;
         }
 

src/libraries/System.Net.Http/src/System/Net/Http/Headers/NameValueHeaderValue.cs

@@ -1,10 +1,8 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using System.Collections.Generic;
 using System.Diagnostics;
 using System.Diagnostics.CodeAnalysis;
-using System.IO;
 using System.Text;
 
 namespace System.Net.Http.Headers
@@ -362,18 +360,24 @@ private static void CheckValueFormat(string? value)
             // Trailing/leading space are not allowed
             if (value[0] == ' ' || value[0] == '\t' || value[^1] == ' ' || value[^1] == '\t')
             {
-                throw new FormatException(SR.Format(System.Globalization.CultureInfo.InvariantCulture, SR.net_http_headers_invalid_value, value));
+                ThrowFormatException(value);
             }
 
-            // If it's not a token we check if it's a valid quoted string
-            if (HttpRuleParser.GetTokenLength(value, 0) == 0)
+            if (value[0] == '"')
             {
                 HttpParseResult parseResult = HttpRuleParser.GetQuotedStringLength(value, 0, out int valueLength);
-                if ((parseResult == HttpParseResult.Parsed && valueLength != value.Length) || parseResult != HttpParseResult.Parsed)
+                if (parseResult != HttpParseResult.Parsed || valueLength != value.Length)
                 {
-                    throw new FormatException(SR.Format(System.Globalization.CultureInfo.InvariantCulture, SR.net_http_headers_invalid_value, value));
+                    ThrowFormatException(value);
                 }
             }
+            else if (HttpRuleParser.ContainsNewLine(value))
+            {
+                ThrowFormatException(value);
+            }
+
+            static void ThrowFormatException(string value) =>
+                throw new FormatException(SR.Format(System.Globalization.CultureInfo.InvariantCulture, SR.net_http_headers_invalid_value, value));
         }
 
         private static NameValueHeaderValue CreateNameValue()

src/libraries/System.Net.Http/src/System/Net/Http/HttpRuleParser.cs

@@ -2,7 +2,6 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System.Diagnostics;
-using System.Globalization;
 using System.Text;
 
 namespace System.Net.Http
@@ -141,20 +140,6 @@ internal static int GetWhitespaceLength(string input, int startIndex)
                     continue;
                 }
 
-                if (c == '\r')
-                {
-                    // If we have a #13 char, it must be followed by #10 and then at least one SP or HT.
-                    if ((current + 2 < input.Length) && (input[current + 1] == '\n'))
-                    {
-                        char spaceOrTab = input[current + 2];
-                        if ((spaceOrTab == ' ') || (spaceOrTab == '\t'))
-                        {
-                            current += 3;
-                            continue;
-                        }
-                    }
-                }
-
                 return current - startIndex;
             }
 
@@ -298,7 +283,7 @@ internal static HttpParseResult GetQuotedPairLength(string input, int startIndex
         }
 
         // TEXT = <any OCTET except CTLs, but including LWS>
-        // LWS = [CRLF] 1*( SP | HT )
+        // LWS = SP | HT
         // CTL = <any US-ASCII control character (octets 0 - 31) and DEL (127)>
         //
         // Since we don't really care about the content of a quoted string or comment, we're more tolerant and
@@ -337,8 +322,15 @@ private static HttpParseResult GetExpressionLength(string input, int startIndex,
                     continue;
                 }
 
+                char c = input[current];
+
+                if (c == '\r' || c == '\n')
+                {
+                    return HttpParseResult.InvalidFormat;
+                }
+
                 // If we support nested expressions and we find an open-char, then parse the nested expressions.
-                if (supportsNesting && (input[current] == openChar))
+                if (supportsNesting && (c == openChar))
                 {
                     // Check if we exceeded the number of nested calls.
                     if (nestedCount > MaxNestedCount)

src/libraries/System.Net.Http/tests/UnitTests/Headers/AltSvcHeaderParserTest.cs

@@ -1,14 +1,9 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using System;
 using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
 using System.Net.Http.Headers;
 using Xunit;
-using Xunit.Sdk;
 
 namespace System.Net.Http.Tests
 {

src/libraries/System.Net.Http/tests/UnitTests/Headers/ByteArrayHeaderParserTest.cs

@@ -1,10 +1,7 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using System;
-using System.Collections.Generic;
 using System.Net.Http.Headers;
-using System.Text;
 
 using Xunit;
 

src/libraries/System.Net.Http/tests/UnitTests/Headers/ContentDispositionHeaderValueTest.cs

@@ -1,11 +1,9 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Net.Http.Headers;
-using System.Text;
 
 using Xunit;
 
@@ -487,8 +485,8 @@ public void GetDispositionTypeLength_DifferentValidScenarios_AllReturnNonZero()
             Assert.Equal("custom", value.Parameters.ElementAt(0).Name);
             Assert.Null(value.Parameters.ElementAt(0).Value);
 
-            Assert.Equal(40, ContentDispositionHeaderValue.GetDispositionTypeLength(
-                "inline ; custom =\r\n \"x\" ; name = myName , next", 0, out result));
+            Assert.Equal(38, ContentDispositionHeaderValue.GetDispositionTypeLength(
+                "inline ; custom = \"x\" ; name = myName , next", 0, out result));
             value = (ContentDispositionHeaderValue)result;
             Assert.Equal("inline", value.DispositionType);
             Assert.Equal("myName", value.Name);
@@ -535,14 +533,14 @@ public void GetDispositionTypeLength_DifferentInvalidScenarios_AllReturnZero()
         public void Parse_SetOfValidValueStrings_ParsedCorrectly()
         {
             ContentDispositionHeaderValue expected = new ContentDispositionHeaderValue("inline");
-            CheckValidParse("\r\n inline  ", expected);
+            CheckValidParse(" inline  ", expected);
             CheckValidParse("inline", expected);
 
             // We don't have to test all possible input strings, since most of the pieces are handled by other parsers.
             // The purpose of this test is to verify that these other parsers are combined correctly to build a
             // Content-Disposition parser.
             expected.Name = "myName";
-            CheckValidParse("\r\n inline  ;  name =   myName ", expected);
+            CheckValidParse(" inline  ;  name =   myName ", expected);
             CheckValidParse("  inline;name=myName", expected);
 
             expected.Name = null;
@@ -565,35 +563,7 @@ public void Parse_SetOfInvalidValueStrings_Throws()
             CheckInvalidParse("inline; name=myName,");
             CheckInvalidParse("inline; name=my\u4F1AName");
             CheckInvalidParse("inline/");
-        }
-
-        [Fact]
-        public void TryParse_SetOfValidValueStrings_ParsedCorrectly()
-        {
-            ContentDispositionHeaderValue expected = new ContentDispositionHeaderValue("inline");
-            CheckValidTryParse("\r\n inline  ", expected);
-            CheckValidTryParse("inline", expected);
-
-            // We don't have to test all possible input strings, since most of the pieces are handled by other parsers.
-            // The purpose of this test is to verify that these other parsers are combined correctly to build a
-            // Content-Disposition parser.
-            expected.Name = "myName";
-            CheckValidTryParse("\r\n inline  ;  name =   myName ", expected);
-            CheckValidTryParse("  inline;name=myName", expected);
-        }
-
-        [Fact]
-        public void TryParse_SetOfInvalidValueStrings_ReturnsFalse()
-        {
-            CheckInvalidTryParse("");
-            CheckInvalidTryParse("  ");
-            CheckInvalidTryParse(null);
-            CheckInvalidTryParse("inline\u4F1A");
-            CheckInvalidTryParse("inline ,");
-            CheckInvalidTryParse("inline,");
-            CheckInvalidTryParse("inline; name=myName ,");
-            CheckInvalidTryParse("inline; name=myName,");
-            CheckInvalidTryParse("text/");
+            CheckInvalidParse(" inline  ; \r name =   myName ");
         }
 
         #region Tests from HenrikN
@@ -1209,24 +1179,16 @@ private void CheckValidParse(string input, ContentDispositionHeaderValue expecte
         {
             ContentDispositionHeaderValue result = ContentDispositionHeaderValue.Parse(input);
             Assert.Equal(expectedResult, result);
-        }
-
-        private void CheckInvalidParse(string input)
-        {
-            Assert.Throws<FormatException>(() => { ContentDispositionHeaderValue.Parse(input); });
-        }
 
-        private void CheckValidTryParse(string input, ContentDispositionHeaderValue expectedResult)
-        {
-            ContentDispositionHeaderValue result = null;
             Assert.True(ContentDispositionHeaderValue.TryParse(input, out result), input);
             Assert.Equal(expectedResult, result);
         }
 
-        private void CheckInvalidTryParse(string input)
+        private void CheckInvalidParse(string input)
         {
-            ContentDispositionHeaderValue result = null;
-            Assert.False(ContentDispositionHeaderValue.TryParse(input, out result), input);
+            Assert.Throws<FormatException>(() => { ContentDispositionHeaderValue.Parse(input); });
+
+            Assert.False(ContentDispositionHeaderValue.TryParse(input, out ContentDispositionHeaderValue result), input);
             Assert.Null(result);
         }
 

src/libraries/System.Net.Http/tests/UnitTests/Headers/DateHeaderParserTest.cs

@@ -1,11 +1,7 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using System;
-using System.Collections.Generic;
-using System.Linq;
 using System.Net.Http.Headers;
-using System.Text;
 
 using Xunit;