Merging internal commits for release/6.0 #40602
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…in ASP.NET Core via FormPipeReader # [6.0] MSRC 69432 - ASP.NET Core - Denial of service in ASP.NET Core via FormPipeReader Fixes a bug in FormPipeReader where data without a delimiter will be buffered indefinitely, beyond configured limits. ## Description When chunked data without a delimiter is sent to FormPipeReader, FormPipeReader will read the entire stream of data, starting from the beginning each time, without honoring configured length limits. This is because, after each read, it checks if `SequenceReader.Consumed` is greater than the configured limit, but `SequenceReader.Consumed` is 0 when no delimiter was found. Therefore the check against the length limit is never honored, and we continue to read data indefinitely, starting from the beginning of the stream each time. ## Customer Impact Potential Denial-Of-Service attack on services using FormPipeReader ## Regression? - [ ] Yes - [ x ] No [If yes, specify the version the behavior has regressed from] ## Risk - [ ] High - [ x ] Medium - [ ] Low The fix is a one-liner, and tests confirm a significant positive improvement on perf. There could be orthogonal issues that we've missed ## Verification - [ x ] Manual (required) - [ x ] Automated ## Packaging changes reviewed? - [ x ] Yes - [ ] No - [ ] N/A ---- ## When servicing release/2.1 - [ ] Make necessary changes in eng/PatchConfig.props FormPipeReader
…t-efcore dnceng/internal/dotnet-runtime - Revert "Make UseUrls() override default hosting config (dotnet#39836)"
…ng/internal/dotnet-efcore This pull request updates the following dependencies [marker]: <> (Begin:1ac68a20-28fc-4e11-3a4d-08d961c5a689) ## From https://dev.azure.com/dnceng/internal/_git/dotnet-efcore - **Subscription**: 1ac68a20-28fc-4e11-3a4d-08d961c5a689 - **Build**: 20220223.6 - **Date Produced**: February 24, 2022 6:36:40 AM UTC - **Commit**: 0257e5c118d78ce1b4d5e514779240c929c4b8aa - **Branch**: refs/heads/internal/release/6.0 [DependencyUpdate]: <> (Begin) - **Updates**: - **Microsoft.EntityFrameworkCore.Tools**: [from 6.0.3 to 6.0.3][1] - **dotnet-ef**: [from 6.0.3 to 6.0.3][1] - **Microsoft.EntityFrameworkCore**: [from 6.0.3 to 6.0.3][1] - **Microsoft.EntityFrameworkCore.Design**: [from 6.0.3 to 6.0.3][1] - **Microsoft.EntityFrameworkCore.InMemory**: [from 6.0.3 to 6.0.3][1] - **Microsoft.EntityFrameworkCore.Relational**: [from 6.0.3 to 6.0.3][1] - **Microsoft.EntityFrameworkCore.Sqlite**: [from 6.0.3 to 6.0.3][1] - **Microsoft.EntityFrameworkCore.SqlServer**: [from 6.0.3 to 6.0.3][1] [1]: https://dev.azure.com/dnceng/internal/_git/dotnet-efcore/branches?baseVersion=GC348a3ca&targetVersion=GC0257e5c&_a=files [DependencyUpdate]: <> (End) [marker]: <> (End:1ac68a20-28fc-4e11-3a4d-08d961c5a689)
…-merge-6.0-2022-03-08-1138
vseanreesermsft
requested review from
BrennanConroy,
Pilchie,
Tratcher and
dougbu
as code owners
ghost
added this to the
|
Hi @vseanreesermsft. If this is not a tell-mode PR, please make sure to follow the instructions laid out in the servicing process document. |
Pilchie
added
the
area-infrastructure
- reenable baseline validation - set `$(IsPublicRuntime)` back to `true`
dougbu
approved these changes
Mar 9, 2022
Contributor
|
@wtgodbe please confirm your change merged correctly. I didn't do anything special but would prefer an extra set of 👀 on it. |
wtgodbe
approved these changes
Mar 9, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.