FormFeature -Added exception for invalid content-disposition header (#7525)

Author: JulijaRamoskiene

src/Http/Http/src/Features/FormFeature.cs

@@ -175,8 +175,10 @@ private async Task<IFormCollection> InnerReadFormAsync(CancellationToken cancell
                     while (section != null)
                     {
                         // Parse the content disposition here and pass it further to avoid reparsings
-                        ContentDispositionHeaderValue contentDisposition;
-                        ContentDispositionHeaderValue.TryParse(section.ContentDisposition, out contentDisposition);
+                        if (!ContentDispositionHeaderValue.TryParse(section.ContentDisposition, out var contentDisposition))
+                        {
+                            throw new InvalidDataException("Form section has invalid Content-Disposition value: " + section.ContentDisposition);
+                        }
 
                         if (contentDisposition.IsFileDisposition())
                         {

src/Http/Http/test/Features/FormFeatureTests.cs

@@ -115,6 +115,14 @@ public async Task ReadFormAsync_SimpleData_ReturnsParsedFormCollection(bool buff
 "\r\n" +
 "Foo\r\n";
 
+        private const string InvalidContentDispositionValue = "form-data; name=\"description\" - filename=\"temp.html\"";
+
+        private const string MultipartFormFileInvalidContentDispositionValue = "--WebKitFormBoundary5pDRpGheQXaM8k3T\r\n" +
+"Content-Disposition: " +
+InvalidContentDispositionValue +
+"\r\n" +
+"\r\n" +
+"Foo\r\n";
 
         private const string MultipartFormWithField =
             MultipartFormField +
@@ -137,6 +145,10 @@ public async Task ReadFormAsync_SimpleData_ReturnsParsedFormCollection(bool buff
             MultipartFormFileSpecialCharacters +
             MultipartFormEndWithSpecialCharacters;
 
+        private const string MultipartFormWithInvalidContentDispositionValue =
+            MultipartFormFileInvalidContentDispositionValue +
+            MultipartFormEnd;
+
         [Theory]
         [InlineData(true)]
         [InlineData(false)]
@@ -489,6 +501,24 @@ public async Task ReadFormAsync_MultipartWithFieldAndMediumFile_ReturnsParsedFor
             await responseFeature.CompleteAsync();
         }
 
+        [Fact]
+        public async Task ReadFormAsync_MultipartWithInvalidContentDisposition_Throw()
+        {
+            var formContent = Encoding.UTF8.GetBytes(MultipartFormWithInvalidContentDispositionValue);
+            var context = new DefaultHttpContext();
+            var responseFeature = new FakeResponseFeature();
+            context.Features.Set<IHttpResponseFeature>(responseFeature);
+            context.Request.ContentType = MultipartContentType;
+            context.Request.Body = new NonSeekableReadStream(formContent);
+
+            IFormFeature formFeature = new FormFeature(context.Request, new FormOptions());
+            context.Features.Set<IFormFeature>(formFeature);
+
+            var exception = await Assert.ThrowsAsync<InvalidDataException>(() => context.Request.ReadFormAsync());
+
+            Assert.Equal("Form section has invalid Content-Disposition value: " + InvalidContentDispositionValue, exception.Message);
+        }
+
         private Stream CreateFile(int size)
         {
             var stream = new MemoryStream(size);