Skip to content

Merging internal commits for release/5.0 #40601

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Mar 10, 2022
Merged

Merging internal commits for release/5.0 #40601

merged 13 commits into from
Mar 10, 2022

Conversation

@vseanreesermsft
Copy link
Contributor

@vseanreesermsft vseanreesermsft commented Mar 8, 2022

No description provided.

dotnet-bot and others added 9 commits February 2, 2022 17:42
@dotnet-bot
Merge in 'release/5.0' changes
57fc9c5
@wtgodbe
Merged PR 20757: [5.0] MSRC 69432 - ASP.NET Core - Denial of service …
7ebbf76 
…in ASP.NET Core via FormPipeReader

# [5.0] MSRC 69432 - ASP.NET Core - Denial of service in ASP.NET Core via FormPipeReader

Fixes a bug in FormPipeReader where data without a delimiter will be buffered indefinitely, beyond configured limits.

## Description

When chunked data without a delimiter is sent to FormPipeReader, FormPipeReader will read the entire stream of data, starting from the beginning each time, without honoring configured length limits. This is because, after each read, it checks if `SequenceReader.Consumed` is greater than the configured limit, but `SequenceReader.Consumed` is 0 when no delimiter was found. Therefore the check against the length limit is never honored, and we continue to read data indefinitely, starting from the beginning of the stream each time.

Also brings in the changes from dotnet#27586

## Customer Impact

Potential Denial-Of-Service attack on services using FormPipeReader

## Regression?

- [ ] Yes
- [ x ] No

[If yes, specify the version the behavior has regressed from]

## Risk

- [ ] High
- [ x ] Medium
- [ ] Low

The fix is a one-liner, and tests confirm a significant positive improvement on perf. There could be orthogonal issues that we've missed

## Verification

- [ x ] Manual (required)
- [ x ] Automated

## Packaging changes reviewed?

- [ x ] Yes
- [ ] No
- [ ] N/A

----

## When servicing release/2.1

- [ ] Make necessary changes in eng/PatchConfig.props

FormPipeReader
@dotnet-bot
Merge in 'release/5.0' changes
4d59eb9
@dotnet-bot
Merge in 'release/5.0' changes
5a948d5
@dotnet-bot
Merge in 'release/5.0' changes
e0a0772
@dotnet-bot
Merge in 'release/5.0' changes
4731bfe
@dotnet-bot
[internal/release/5.0] Update dependencies from dnceng/internal/dotne…
5b0922d 
…t-efcore
@dotnet-bot
[internal/release/5.0] Update dependencies from dnceng/internal/dotne…
6939d9a 
…t-runtime
@vseanreesermsft
Merge commit '6939d9ab90aa1e57bb0619bb28819f7bcbfdbb54' into internal…
c560bcd 
…-merge-5.0-2022-03-08-1136
@ghost ghost added this to the 5.0.x milestone Mar 8, 2022
@ghost
Copy link

ghost commented Mar 8, 2022

Hi @vseanreesermsft. If this is not a tell-mode PR, please make sure to follow the instructions laid out in the servicing process document.
Otherwise, please add tell-mode label.

@Pilchie Pilchie added the area-infrastructure Includes: MSBuild projects/targets, build scripts, CI, Installers and shared framework label Mar 8, 2022
@wtgodbe
Copy link
Member

wtgodbe commented Mar 8, 2022

@adiaaida @rbhanda are the packages/blobs done being mirrored to public yet?

@dougbu dougbu added the tell-mode Indicates a PR which is being merged during tell-mode label Mar 9, 2022
@wtgodbe
Copy link
Member

wtgodbe commented Mar 9, 2022

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Mar 9, 2022

Azure Pipelines successfully started running 2 pipeline(s).

@vseanreesermsft vseanreesermsft requested a review from a team as a code owner March 9, 2022 23:26
@wtgodbe wtgodbe enabled auto-merge March 9, 2022 23:29
@wtgodbe wtgodbe merged commit 0d8cd08 into dotnet:release/5.0 Mar 10, 2022
@wtgodbe wtgodbe modified the milestones: 5.0.x, 5.0.16 Mar 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wtgodbe wtgodbe wtgodbe approved these changes

@Tratcher Tratcher Awaiting requested review from Tratcher Tratcher is a code owner

@BrennanConroy BrennanConroy Awaiting requested review from BrennanConroy BrennanConroy is a code owner

@dougbu dougbu Awaiting requested review from dougbu

@Pilchie Pilchie Awaiting requested review from Pilchie Pilchie is a code owner

Assignees

No one assigned

Labels

area-infrastructure Includes: MSBuild projects/targets, build scripts, CI, Installers and shared framework tell-mode Indicates a PR which is being merged during tell-mode

Projects

None yet

Milestone

5.0.16

Development

Successfully merging this pull request may close these issues.

5 participants

@vseanreesermsft @wtgodbe @Pilchie @dougbu @dotnet-bot