Skip to content

Replace dangerous characters in response headers #117290

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jul 9, 2025
Merged

Replace dangerous characters in response headers #117290

merged 4 commits into from
Jul 9, 2025

Conversation

antonfirsov
Copy link
Contributor

@antonfirsov antonfirsov commented Jul 3, 2025
edited
Loading

Fixes #116688

Edit: The original PR has been reworked.

The change has been optimized for the happy path, when no replacement has to be done. We are identifying it by scanning through undecoded headerValue bytes, which is expected to be cheap E2E.

Original description:

I ran a basic microbenchmark to see how much can this impact performance. The difference seems negligible on the happy path, especially with the headerValue.IndexOfAny(s_dangerousCharacterBytes) >= 0 optimization, though we can remove it if we prefer simplicity over a few nanosecs.

@Copilot Copilot AI review requested due to automatic review settings July 3, 2025 21:05
@antonfirsov antonfirsov requested a review from a team July 3, 2025 21:06
@dotnet-policy-service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Copilot
Copilot AI reviewed Jul 3, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

This was referenced Jul 4, 2025
Closed
Closed
Closed
Open
Open
Open
Open
Closed
antonfirsov
antonfirsov commented Jul 7, 2025
View reviewed changes
Copy link
Contributor Author

@antonfirsov antonfirsov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MihaZupan PTAL. Also see #117290 (comment).

@antonfirsov
Copy link
Contributor Author

/azp run runtime-libraries-coreclr outerloop

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@antonfirsov antonfirsov merged commit 68023ed into dotnet:main Jul 9, 2025
81 of 95 checks passed
@github-actions github-actions bot locked and limited conversation to collaborators Aug 9, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@MihaZupan MihaZupan MihaZupan approved these changes

Copilot code review Copilot Copilot left review comments

Assignees

@antonfirsov antonfirsov

Labels

area-System.Net.Http

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SocketsHttpHandler should replace received new lines in headers with spaces

2 participants

@antonfirsov @MihaZupan