Update branding to 2.3.7 & merge internal commits (#64089)

* Merged PR 52828: Fix chunked request parsing

#### AI description  (iteration 1)
#### PR Classification
Bug fix to ensure correct parsing of HTTP chunked requests.

#### PR Summary
This pull request refines chunked request parsing by enforcing stricter checks on chunk extensions in accordance with RFC 9112, and it adds thorough tests for both valid and invalid input scenarios. The changes improve error handling and request rejection when encountering malformed chunk extensions.
- **`src/Servers/Kestrel/test/FunctionalTests/ChunkedRequestTests.cs`**: Added tests to validate behavior for requests with invalid newlines and various chunk extension formats.
- **`src/Servers/Kestrel/Core/src/Internal/Http/Http1MessageBody.cs`**: Updated parsing logic to correctly detect CRLF sequences and reject improperly formatted chunk extensions, including support for an insecure parsing switch.
- **`src/Servers/Kestrel/Core/test/MessageBodyTests.cs`**: Modified test inputs to align with the updated chunk extension parsing.
- **`src/Servers/Kestrel/Core/src/Internal/Http/RequestRejectionReason.cs`**: Introduced a new rejection reason, `BadChunkExtension`, for invalid chunk extensions.
- **`eng/PatchConfig.props`**: Updated patch configuration for version 2.3.4 to include the Kestrel core package changes.
<!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->

* Update branding to 2.3.7

* Fixup

---------

Co-authored-by: Brennan Conroy <[email protected]>

Author: wtgodbe

eng/Baseline.Designer.props

@@ -2,7 +2,7 @@
 <Project>
   <PropertyGroup>
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
-    <AspNetCoreBaselineVersion>2.3.5</AspNetCoreBaselineVersion>
+    <AspNetCoreBaselineVersion>2.3.6</AspNetCoreBaselineVersion>
   </PropertyGroup>
   <!-- Package: dotnet-dev-certs-->
   <PropertyGroup Condition=" '$(PackageId)' == 'dotnet-dev-certs' ">
@@ -889,7 +889,7 @@
   </ItemGroup>
   <!-- Package: Microsoft.AspNetCore.Server.Kestrel.Core-->
   <PropertyGroup Condition=" '$(PackageId)' == 'Microsoft.AspNetCore.Server.Kestrel.Core' ">
-    <BaselinePackageVersion>2.3.0</BaselinePackageVersion>
+    <BaselinePackageVersion>2.3.6</BaselinePackageVersion>
   </PropertyGroup>
   <ItemGroup Condition=" '$(PackageId)' == 'Microsoft.AspNetCore.Server.Kestrel.Core' AND '$(TargetFramework)' == 'netstandard2.0' ">
     <BaselinePackageReference Include="Microsoft.AspNetCore.Hosting.Abstractions" Version="[2.3.0, )" />

eng/Baseline.xml

@@ -4,7 +4,7 @@ This file contains a list of all the packages and their versions which were rele
 build of ASP.NET Core 2.1.x. Update this list when preparing for a new patch.
 
 -->
-<Baseline Version="2.3.5">
+<Baseline Version="2.3.6">
   <Package Id="dotnet-dev-certs" Version="2.1.1" />
   <Package Id="dotnet-sql-cache" Version="2.1.1" />
   <Package Id="dotnet-user-secrets" Version="2.1.1" />
@@ -99,7 +99,7 @@ build of ASP.NET Core 2.1.x. Update this list when preparing for a new patch.
   <Package Id="Microsoft.AspNetCore.Routing" Version="2.3.0" />
   <Package Id="Microsoft.AspNetCore.Server.HttpSys" Version="2.3.0" />
   <Package Id="Microsoft.AspNetCore.Server.IISIntegration" Version="2.3.0" />
-  <Package Id="Microsoft.AspNetCore.Server.Kestrel.Core" Version="2.3.0" />
+  <Package Id="Microsoft.AspNetCore.Server.Kestrel.Core" Version="2.3.6" />
   <Package Id="Microsoft.AspNetCore.Server.Kestrel.Https" Version="2.3.0" />
   <Package Id="Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions" Version="2.3.0" />
   <Package Id="Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv" Version="2.3.0" />

eng/PatchConfig.props

@@ -43,6 +43,11 @@ Later on, this will be checked using this condition:
     </PackagesInPatch>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(VersionPrefix)' == '2.3.6' ">
+    <PackagesInPatch>
+      Microsoft.AspNetCore.Server.Kestrel.Core;
+    </PackagesInPatch>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(VersionPrefix)' == '2.3.7' ">
     <PackagesInPatch>
     </PackagesInPatch>
   </PropertyGroup>

src/Servers/Kestrel/Core/src/BadHttpRequestException.cs

@@ -72,6 +72,9 @@ internal static BadHttpRequestException GetException(RequestRejectionReason reas
                 case RequestRejectionReason.BadChunkSizeData:
                     ex = new BadHttpRequestException(CoreStrings.BadRequest_BadChunkSizeData, StatusCodes.Status400BadRequest, reason);
                     break;
+                case RequestRejectionReason.BadChunkExtension:
+                    ex = new BadHttpRequestException(CoreStrings.BadRequest_BadChunkExtension, StatusCodes.Status400BadRequest, reason);
+                    break;
                 case RequestRejectionReason.ChunkedRequestIncomplete:
                     ex = new BadHttpRequestException(CoreStrings.BadRequest_ChunkedRequestIncomplete, StatusCodes.Status400BadRequest, reason);
                     break;

src/Servers/Kestrel/Core/src/CoreStrings.resx

@@ -518,4 +518,7 @@ For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?l
   <data name="BadDeveloperCertificateState" xml:space="preserve">
     <value>The ASP.NET Core developer certificate is in an invalid state. To fix this issue, run the following commands 'dotnet dev-certs https --clean' and 'dotnet dev-certs https' to remove all existing ASP.NET Core development certificates and create a new untrusted developer certificate. On macOS or Windows, use 'dotnet dev-certs https --trust' to trust the new certificate.</value>
   </data>
+  <data name="BadRequest_BadChunkExtension" xml:space="preserve">
+    <value>Bad chunk extension.</value>
+  </data>
 </root>

src/Servers/Kestrel/Core/src/Internal/Http/Http1MessageBody.cs

@@ -393,6 +393,7 @@ private class ForChunkedEncoding : Http1MessageBody
         {
             // byte consts don't have a data type annotation so we pre-cast it
             private const byte ByteCR = (byte)'\r';
+            private const byte ByteLF = (byte)'\n';
             // "7FFFFFFF\r\n" is the largest chunk size that could be returned as an int.
             private const int MaxChunkPrefixBytes = 10;
 
@@ -401,6 +402,13 @@ private class ForChunkedEncoding : Http1MessageBody
 
             private Mode _mode = Mode.Prefix;
 
+            private static readonly bool InsecureChunkedParsing;
+
+            static ForChunkedEncoding()
+            {
+                InsecureChunkedParsing = AppContext.TryGetSwitch("Microsoft.AspNetCore.Server.Kestrel.EnableInsecureChunkedRequestParsing", out var value) && value;
+            }
+
             public ForChunkedEncoding(bool keepAlive, Http1Connection context)
                 : base(context)
             {
@@ -554,56 +562,80 @@ private void ParseChunkedPrefix(ReadOnlySequence<byte> buffer, out SequencePosit
                 BadHttpRequestException.Throw(RequestRejectionReason.BadChunkSizeData);
             }
 
+            // https://www.rfc-editor.org/rfc/rfc9112#section-7.1
+            // chunk          = chunk-size [ chunk-ext ] CRLF
+            // chunk-data CRLF
+            // https://www.rfc-editor.org/rfc/rfc9112#section-7.1.1
+            // chunk-ext      = *( BWS ";" BWS chunk-ext-name
+            //                     [BWS "=" BWS chunk-ext-val] )
+            // chunk-ext-name = token
+            // chunk-ext-val  = token / quoted-string
             private void ParseExtension(ReadOnlySequence<byte> buffer, out SequencePosition consumed, out SequencePosition examined)
             {
-                // Chunk-extensions not currently parsed
-                // Just drain the data
-                consumed = buffer.Start;
-                examined = buffer.Start;
+                // Chunk-extensions parsed for \r\n and throws for unpaired \r or \n.
 
                 do
                 {
-                    SequencePosition? extensionCursorPosition = buffer.PositionOf(ByteCR);
+                    SequencePosition? extensionCursorPosition;
+                    if (InsecureChunkedParsing)
+                    {
+                        extensionCursorPosition = buffer.PositionOf(ByteCR);
+                    }
+                    else
+                    {
+                        extensionCursorPosition = buffer.PositionOfAny(ByteCR, ByteLF);
+                    }
+
                     if (extensionCursorPosition == null)
                     {
                         // End marker not found yet
                         consumed = buffer.End;
                         examined = buffer.End;
                         AddAndCheckConsumedBytes(buffer.Length);
                         return;
-                    };
+                    }
 
                     var extensionCursor = extensionCursorPosition.Value;
                     var charsToByteCRExclusive = buffer.Slice(0, extensionCursor).Length;
 
-                    var sufixBuffer = buffer.Slice(extensionCursor);
-                    if (sufixBuffer.Length < 2)
+                    var suffixBuffer = buffer.Slice(extensionCursor);
+                    if (suffixBuffer.Length < 2)
                     {
                         consumed = extensionCursor;
                         examined = buffer.End;
                         AddAndCheckConsumedBytes(charsToByteCRExclusive);
                         return;
                     }
 
-                    sufixBuffer = sufixBuffer.Slice(0, 2);
-                    var sufixSpan = sufixBuffer.ToSpan();
+                    suffixBuffer = suffixBuffer.Slice(0, 2);
+                    var suffixSpan = suffixBuffer.ToSpan();
 
-                    if (sufixSpan[1] == '\n')
+                    if (InsecureChunkedParsing
+                        ? (suffixSpan[1] == ByteLF)
+                        : (suffixSpan[0] == ByteCR && suffixSpan[1] == ByteLF))
                     {
                         // We consumed the \r\n at the end of the extension, so switch modes.
                         _mode = _inputLength > 0 ? Mode.Data : Mode.Trailer;
 
-                        consumed = sufixBuffer.End;
-                        examined = sufixBuffer.End;
+                        consumed = suffixBuffer.End;
+                        examined = suffixBuffer.End;
                         AddAndCheckConsumedBytes(charsToByteCRExclusive + 2);
                     }
-                    else
+                    else if (InsecureChunkedParsing)
                     {
+                        examined = buffer.Start;
                         // Don't consume suffixSpan[1] in case it is also a \r.
                         buffer = buffer.Slice(charsToByteCRExclusive + 1);
                         consumed = extensionCursor;
                         AddAndCheckConsumedBytes(charsToByteCRExclusive + 1);
                     }
+                    else
+                    {
+                        consumed = suffixBuffer.End;
+                        examined = suffixBuffer.End;
+                        // We have \rX or \nX, that's an invalid extension.
+                        BadHttpRequestException.Throw(RequestRejectionReason.BadChunkExtension);
+                    }
                 } while (_mode == Mode.Extension);
             }
 

src/Servers/Kestrel/Core/src/Internal/Http/PipelineExtensions.cs

@@ -216,7 +216,7 @@ private static unsafe void EncodeAsciiCharsToBytes(char* input, byte* output, in
                     i += 4;
                 }
 
-                trailing:
+            trailing:
                 for (; i < length; i++)
                 {
                     char ch = *(input + i);
@@ -269,5 +269,49 @@ private static byte[] CreateNumericBytesScratch()
             _numericBytesScratch = bytes;
             return bytes;
         }
+
+        /// <summary>
+        /// Returns position of first occurrence of item in the <see cref="ReadOnlySequence{T}"/>
+        /// </summary>
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static SequencePosition? PositionOfAny<T>(in this ReadOnlySequence<T> source, T value0, T value1) where T : IEquatable<T>
+        {
+            if (source.IsSingleSegment)
+            {
+                int index = source.First.Span.IndexOfAny(value0, value1);
+                if (index != -1)
+                {
+                    return source.GetPosition(index);
+                }
+
+                return null;
+            }
+            else
+            {
+                return PositionOfAnyMultiSegment(source, value0, value1);
+            }
+        }
+
+        private static SequencePosition? PositionOfAnyMultiSegment<T>(in ReadOnlySequence<T> source, T value0, T value1) where T : IEquatable<T>
+        {
+            SequencePosition position = source.Start;
+            SequencePosition result = position;
+            while (source.TryGet(ref position, out ReadOnlyMemory<T> memory))
+            {
+                int index = memory.Span.IndexOfAny(value0, value1);
+                if (index != -1)
+                {
+                    return source.GetPosition(index, result);
+                }
+                else if (position.GetObject() == null)
+                {
+                    break;
+                }
+
+                result = position;
+            }
+
+            return null;
+        }
     }
 }

src/Servers/Kestrel/Core/src/Internal/Http/RequestRejectionReason.cs

@@ -15,6 +15,7 @@ public enum RequestRejectionReason
         UnexpectedEndOfRequestContent,
         BadChunkSuffix,
         BadChunkSizeData,
+        BadChunkExtension,
         ChunkedRequestIncomplete,
         InvalidRequestTarget,
         InvalidCharactersInHeaderName,
@@ -32,6 +33,6 @@ public enum RequestRejectionReason
         MissingHostHeader,
         MultipleHostHeaders,
         InvalidHostHeader,
-        RequestBodyExceedsContentLength
+        RequestBodyExceedsContentLength,
     }
 }

src/Servers/Kestrel/Core/src/Properties/CoreStrings.Designer.cs

@@ -139,14 +139,14 @@ public async Task ReadExitsGivenIncompleteChunkedExtension()
                 var stream = new HttpRequestStream(Mock.Of<IHttpBodyControlFeature>());
                 stream.StartAcceptingReads(body);
 
-                input.Add("5;\r\0");
+                input.Add("5;\r");
 
                 var buffer = new byte[1024];
                 var readTask = stream.ReadAsync(buffer, 0, buffer.Length);
 
                 Assert.False(readTask.IsCompleted);
 
-                input.Add("\r\r\r\nHello\r\n0\r\n\r\n");
+                input.Add("\nHello\r\n0\r\n\r\n");
 
                 Assert.Equal(5, await readTask.DefaultTimeout());
                 Assert.Equal(0, await stream.ReadAsync(buffer, 0, buffer.Length));