Support tab characters in headers and unify validation code between servers. (#40671)

adityamandaleeka · web-flow · commit dafd01aa6c5d · 2022-03-14T14:40:45.000-07:00
* Support tab characters in headers and unify validation code between servers.

* Preserve non-ASCII header value char treatment in http.sys.
diff --git a/src/Servers/HttpSys/src/Microsoft.AspNetCore.Server.HttpSys.csproj b/src/Servers/HttpSys/src/Microsoft.AspNetCore.Server.HttpSys.csproj
@@ -18,6 +18,7 @@
     <Compile Include="$(SharedSourceRoot)HttpSys\**\*.cs" />
     <Compile Include="$(SharedSourceRoot)Buffers.MemoryPool\*.cs" LinkBase="MemoryPool" />
     <Compile Include="$(SharedSourceRoot)ServerInfrastructure\StringUtilities.cs" LinkBase="ServerInfrastructure\StringUtilities.cs" />
+    <Compile Include="$(SharedSourceRoot)ServerInfrastructure\HttpCharacters.cs" LinkBase="ServerInfrastructure\HttpCharacters.cs" />
     <Compile Include="$(SharedSourceRoot)TaskToApm.cs" />
   </ItemGroup>
 
diff --git a/src/Servers/HttpSys/test/FunctionalTests/ResponseHeaderTests.cs b/src/Servers/HttpSys/test/FunctionalTests/ResponseHeaderTests.cs
@@ -113,6 +113,27 @@ public async Task ResponseHeaders_ServerSendsCustomHeaders_Success()
             }
         }
 
+        [ConditionalFact]
+        public async Task ResponseHeaders_ServerSendsNonAsciiHeaders_Success()
+        {
+            string address;
+            using (Utilities.CreateHttpServer(out address, httpContext =>
+            {
+                var responseInfo = httpContext.Features.Get<IHttpResponseFeature>();
+                var responseHeaders = responseInfo.Headers;
+                responseHeaders["Custom-Header1"] = new string[] { "Da�ta" };
+                return Task.FromResult(0);
+            }))
+            {
+                var socketsHttpHandler = new SocketsHttpHandler() { ResponseHeaderEncodingSelector = (_, _) => Encoding.UTF8 };
+                var httpClient = new HttpClient(socketsHttpHandler);
+                var response = await httpClient.GetAsync(address);
+                response.EnsureSuccessStatusCode();
+                Assert.True(response.Headers.TryGetValues("Custom-Header1", out var header));
+                Assert.Equal("Da�ta", header.Single());
+            }
+        }
+
         [ConditionalFact]
         public async Task ResponseHeaders_ServerSendsConnectionClose_Closed()
         {
diff --git a/src/Servers/Kestrel/Core/src/Internal/Http/Http1Connection.cs b/src/Servers/Kestrel/Core/src/Internal/Http/Http1Connection.cs
@@ -8,6 +8,7 @@
 using System.IO.Pipelines;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Connections;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.Features;
 using Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure;
 
diff --git a/src/Servers/Kestrel/Core/src/Internal/Http/HttpHeaders.cs b/src/Servers/Kestrel/Core/src/Internal/Http/HttpHeaders.cs
@@ -10,7 +10,6 @@
 using System.Runtime.InteropServices;
 using System.Text;
 using Microsoft.AspNetCore.Http;
-using Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure;
 using Microsoft.Extensions.Primitives;
 using Microsoft.Net.Http.Headers;
 
diff --git a/src/Servers/Kestrel/Core/src/Internal/Http/HttpParser.cs b/src/Servers/Kestrel/Core/src/Internal/Http/HttpParser.cs
@@ -6,6 +6,7 @@
 using System.Diagnostics;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure;
 
 namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http
diff --git a/src/Servers/Kestrel/Core/src/Internal/Http2/Http2Stream.cs b/src/Servers/Kestrel/Core/src/Internal/Http2/Http2Stream.cs
@@ -16,6 +16,7 @@
 using Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure;
 using Microsoft.Extensions.Primitives;
 using Microsoft.Net.Http.Headers;
+using HttpCharacters = Microsoft.AspNetCore.Http.HttpCharacters;
 using HttpMethods = Microsoft.AspNetCore.Http.HttpMethods;
 
 namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http2
diff --git a/src/Servers/Kestrel/Core/src/Internal/Http3/Http3Stream.cs b/src/Servers/Kestrel/Core/src/Internal/Http3/Http3Stream.cs
@@ -15,6 +15,7 @@
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Primitives;
 using Microsoft.Net.Http.Headers;
+using HttpCharacters = Microsoft.AspNetCore.Http.HttpCharacters;
 
 namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http3
 {
diff --git a/src/Servers/Kestrel/Core/src/Internal/KestrelServerImpl.cs b/src/Servers/Kestrel/Core/src/Internal/KestrelServerImpl.cs
@@ -11,6 +11,7 @@
 using Microsoft.AspNetCore.Connections;
 using Microsoft.AspNetCore.Hosting.Server;
 using Microsoft.AspNetCore.Hosting.Server.Features;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.Features;
 using Microsoft.AspNetCore.Server.Kestrel.Core.Internal;
 using Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http;
diff --git a/src/Servers/Kestrel/Core/test/HttpResponseHeadersTests.cs b/src/Servers/Kestrel/Core/test/HttpResponseHeadersTests.cs
@@ -241,6 +241,18 @@ public void AddingNonAsciiCharactersWithCustomEncoderWorks(string value)
             ((IDictionary<string, StringValues>)responseHeaders).Add("Unknown", value);
         }
 
+        [Fact]
+        public void AddingTabCharactersToHeaderPropertyWorks()
+        {
+            var responseHeaders = (IHeaderDictionary)new HttpResponseHeaders();
+
+            // Known special header
+            responseHeaders.Allow = "Da\tta";
+
+            // Unknown header fallback
+            responseHeaders.Accept = "Da\tta";
+        }
+
         [Fact]
         public void ThrowsWhenAddingHeaderAfterReadOnlyIsSet()
         {
diff --git a/src/Shared/HttpSys/RequestProcessing/HeaderCollection.cs b/src/Shared/HttpSys/RequestProcessing/HeaderCollection.cs
@@ -272,12 +272,10 @@ public static void ValidateHeaderCharacters(string headerCharacters)
         {
             if (headerCharacters != null)
             {
-                foreach (var ch in headerCharacters)
+                var invalid = HttpCharacters.IndexOfInvalidFieldValueCharExtended(headerCharacters);
+                if (invalid >= 0)
                 {
-                    if (ch < 0x20)
-                    {
-                        throw new InvalidOperationException(string.Format(CultureInfo.CurrentCulture, "Invalid control character in header: 0x{0:X2}", (byte)ch));
-                    }
+                    throw new InvalidOperationException(string.Format(CultureInfo.CurrentCulture, "Invalid control character in header: 0x{0:X2}", headerCharacters[invalid]));
                 }
             }
         }
diff --git a/src/Shared/ServerInfrastructure/HttpCharacters.cs b/src/Shared/ServerInfrastructure/HttpCharacters.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Runtime.CompilerServices;
 
-namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure
+namespace Microsoft.AspNetCore.Http
 {
     internal static class HttpCharacters
     {
@@ -107,6 +107,9 @@ private static bool[] InitializeFieldValue()
         {
             // field-value https://tools.ietf.org/html/rfc7230#section-3.2
             var fieldValue = new bool[_tableSize];
+
+            fieldValue[0x9] = true; // HTAB
+
             for (var c = 0x20; c <= 0x7e; c++) // VCHAR and SP
             {
                 fieldValue[c] = true;
@@ -182,7 +185,8 @@ public static int IndexOfInvalidTokenChar(ReadOnlySpan<byte> span)
             return -1;
         }
 
-        // Disallows control characters and anything more than 0x7F
+        // Follows field-value rules in https://tools.ietf.org/html/rfc7230#section-3.2
+        // Disallows characters > 0x7E.
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
         public static int IndexOfInvalidFieldValueChar(string s)
         {
@@ -200,7 +204,7 @@ public static int IndexOfInvalidFieldValueChar(string s)
             return -1;
         }
 
-        // Disallows control characters but allows extended characters > 0x7F
+        // Follows field-value rules for chars <= 0x7F. Allows extended characters > 0x7F.
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
         public static int IndexOfInvalidFieldValueCharExtended(string s)
         {

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@`
`15`	`15`	`using Microsoft.Extensions.Logging;`
`16`	`16`	`using Microsoft.Extensions.Primitives;`
`17`	`17`	`using Microsoft.Net.Http.Headers;`
	`18`	`+using HttpCharacters = Microsoft.AspNetCore.Http.HttpCharacters;`
`18`	`19`
`19`	`20`	`namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http3`
`20`	`21`	`{`
Original file line number	Diff line number	Diff line change
`@@ -272,12 +272,10 @@ public static void ValidateHeaderCharacters(string headerCharacters)`
`272`	`272`	`{`
`273`	`273`	`if (headerCharacters != null)`
`274`	`274`	`{`
`275`		`- foreach (var ch in headerCharacters)`
	`275`	`+ var invalid = HttpCharacters.IndexOfInvalidFieldValueCharExtended(headerCharacters);`
	`276`	`+ if (invalid >= 0)`
`276`	`277`	`{`
`277`		`- if (ch < 0x20)`
`278`		`- {`
`279`		`- throw new InvalidOperationException(string.Format(CultureInfo.CurrentCulture, "Invalid control character in header: 0x{0:X2}", (byte)ch));`
`280`		`- }`
	`278`	`+ throw new InvalidOperationException(string.Format(CultureInfo.CurrentCulture, "Invalid control character in header: 0x{0:X2}", headerCharacters[invalid]));`
`281`	`279`	`}`
`282`	`280`	`}`
`283`	`281`	`}`