Skip to content

[7.0] Match strangely formatted PathBase in HttpSys & IIS #42751 #45008

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Nov 14, 2022
Merged

[7.0] Match strangely formatted PathBase in HttpSys & IIS #42751 #45008

merged 5 commits into from
Nov 14, 2022

Conversation

Tratcher
Copy link
Member

There are unusual situations where Http.Sys, IIS, and AspNetCore disagree on the format of the root path of the site.

Forward port of #44753, already servicing-approved.

Description

Http.Sys and IIS support path based routing of requests between sites that are sharing the same port. It applies this matching using the normalized path (e.g. decoded, dot segments removed, etc.). The problem is that Http.Sys does some non-standard normalizations that AspNetCore doesn't like collapsing consecutive slashes, converting backslashes to forward slashes, decoding %2F, etc., so when we try to separate the PathBase later it might not match and the path gets split in the wrong place, causing errors and routing mismatches up stack.

Note there's no defined behavior for most of these unusual path constructions, they are usually mistakes made by the client when constructing the url such as consecutive slashes, backslashes, etc.. AspNetCore does less auto-correction for such mistakes, but an app can usually fix these up in middleware if it wants. This bug was worse for HttpSys because the requests failed before reaching middleware due to a malformed path after an incorrect split.

I've added extra processing to the PathBase logic to emulate Http.Sys's behaviors. E.g. /base will now match //\/%2F%5Cbase like Http.Sys does. The original PathBase //\/%2F%5Cbase will still be included in the request, but the remaining Path will be properly separated now. There's one test case (not reported by any customer) I wasn't able to fix which includes consecutive slashes and dot segments, Http.Sys collapses consecutive slashes before dot segments, but we are applying this fallback after dot segments have been removed. This case gracefully falls back to reporting no PathBase.

I have not included an app context switch since the prior behavior would fail valid requests, and I make sure to apply the old standard matching first before trying the new approach.

I did not implement this additional logic on the TryMatchLongestPrefix code path that's primarily used in delegation scenarios. That code path already gracefully falls back to reporting no PathBase when it can't match.

Contributes to #42751

Customer Impact

This was reported externally first, but then a patch was requested to unblock an internal partner's .NET 6 adoption. A limited workaround is available in the issue.

Regression?

  • Yes
  • No

Risk

  • High
  • Medium
  • Low

Using PathBase's with unusual formats is rare enough that this is the first customer to notice.

Verification

  • Manual (required)
  • Automated

Packaging changes reviewed?

  • Yes
  • No
  • N/A

@Tratcher Tratcher added Servicing-approved Shiproom has approved the issue area-runtime labels Nov 10, 2022
@Tratcher Tratcher added this to the 7.0.1 milestone Nov 10, 2022
@Tratcher Tratcher requested a review from wtgodbe November 10, 2022 20:32
@Tratcher Tratcher self-assigned this Nov 10, 2022
@Tratcher Tratcher requested a review from JamesNK as a code owner November 10, 2022 20:32
@ghost
Copy link

ghost commented Nov 10, 2022

Hi @Tratcher. This PR was just approved to be included in the upcoming servicing release. Somebody from the @dotnet/aspnet-build team will get it merged when the branches are open. Until then, please make sure all the CI checks pass and the PR is reviewed.

@Tratcher Tratcher mentioned this pull request Nov 10, 2022
Closed
1 task
@wtgodbe wtgodbe enabled auto-merge (squash) November 10, 2022 20:45
@Tratcher
Copy link
Member Author

/backport to main

@github-actions
Copy link
Contributor

Started backporting to main: https://github.com/dotnet/aspnetcore/actions/runs/3440614035

@github-actions github-actions bot mentioned this pull request Nov 10, 2022
Merged
@Tratcher
Copy link
Member Author

/azp run

@azure-pipelines
Copy link

Azure Pipelines successfully started running 3 pipeline(s).

@Tratcher
Copy link
Member Author

#45091 should fix the linux build

@wtgodbe wtgodbe disabled auto-merge November 14, 2022 21:14
@wtgodbe wtgodbe merged commit 04fed3c into dotnet:release/7.0 Nov 14, 2022
@wtgodbe
Copy link
Member

wtgodbe commented Nov 14, 2022

Merging to get past the restore failure

@Tratcher Tratcher deleted the tratcher/release/7.0/slashslash branch November 14, 2022 21:18
@amcasey amcasey added area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions and removed area-runtime labels Jun 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wtgodbe wtgodbe wtgodbe approved these changes

@halter73 halter73 Awaiting requested review from halter73

@BrennanConroy BrennanConroy Awaiting requested review from BrennanConroy

@JamesNK JamesNK Awaiting requested review from JamesNK

Assignees

@Tratcher Tratcher

Labels
area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions Servicing-approved Shiproom has approved the issue
Projects
None yet
Milestone
7.0.1
Development

Successfully merging this pull request may close these issues.
3 participants
@Tratcher @wtgodbe @amcasey