[release/10.0] Prevent format injection in hosting Windows PAL printf functions when redirected to file#119728
Merged
agocke merged 1 commit intorelease/10.0from Sep 18, 2025
Merged
Conversation
… redirected to file Fixes #119566
jkotas
approved these changes
Sep 15, 2025
Contributor
|
Tagging subscribers to this area: @vitek-karas, @agocke, @VSadov |
Member
|
/backport to release/9.0 |
Contributor
Author
|
Started backporting to release/9.0: https://github.com/dotnet/runtime/actions/runs/17781043673 |
Contributor
Author
|
@jkoritzinsky backporting to "release/9.0" failed, the patch most likely resulted in conflicts: $ git am --3way --empty=keep --ignore-whitespace --keep-non-patch changes.patch
Applying: Prevent format injection in hosting Windows PAL printf functions when redirected to file
.git/rebase-apply/patch:20: trailing whitespace.
warning: 1 line adds whitespace errors.
Using index info to reconstruct a base tree...
M src/native/corehost/hostmisc/pal.windows.cpp
Falling back to patching base and 3-way merge...
Auto-merging src/native/corehost/hostmisc/pal.windows.cpp
CONFLICT (content): Merge conflict in src/native/corehost/hostmisc/pal.windows.cpp
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 Prevent format injection in hosting Windows PAL printf functions when redirected to file
Error: The process '/usr/bin/git' failed with exit code 128Please backport manually! |
Member
|
/ba-g failures are unrelated. Regex and apphost test failures. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #119568 to release/10.0
/cc @jkoritzinsky @nike4613
Customer Impact
Prevents environment variables with formating markup from being passed through to redirected output formatting.
Regression
This passthrough from environment variable is only possible in .NET 10.
Testing
Manual validation.
Risk
Low. Isolated fix.
IMPORTANT: If this backport is for a servicing release, please verify that:
release/X.0-staging, notrelease/X.0.Package authoring no longer needed in .NET 9
IMPORTANT: Starting with .NET 9, you no longer need to edit a NuGet package's csproj to enable building and bump the version.
Keep in mind that we still need package authoring in .NET 8 and older versions.