dotnet
/
aspnetcore
зеркало из https://github.com/dotnet/aspnetcore.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Add security text about Host header

This commit is contained in:
Ryan Nowak 2018-10-05 21:48:43 -07:00
Родитель 384b814349
Коммит 67a1f2dda9
2 изменённых файлов: 114 добавлений и 12 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

30
src/Microsoft.AspNetCore.Mvc.Abstractions/IUrlHelper.cs
Просмотреть файл

@ -1,6 +1,7 @@
// Copyright (c) .NET Foundation. All rights reserved.
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc.Routing;
namespace Microsoft.AspNetCore.Mvc
@ -19,10 +20,18 @@ namespace Microsoft.AspNetCore.Mvc
/// Generates a URL with an absolute path for an action method, which contains the action
/// name, controller name, route values, protocol to use, host name, and fragment specified by
/// <see cref="UrlActionContext"/>. Generates an absolute URL if <see cref="UrlActionContext.Protocol"/> and
/// <see cref="UrlActionContext.Host"/> are non-<c>null</c>.
/// <see cref="UrlActionContext.Host"/> are non-<c>null</c>. See the remarks section for important security information.
/// </summary>
/// <param name="actionContext">The context object for the generated URLs for an action method.</param>
/// <returns>The generated URL.</returns>
/// <remarks>
/// <para>
/// The value of <see cref="UrlActionContext.Host" /> should be a trusted value. Relying on the value of the current request
/// can allow untrusted input to influence the resulting URI unless the <c>Host</c> header has been validated.
/// See the deployment documentation for instructions on how to properly validate the <c>Host</c> header in
/// your deployment environment.
/// </para>
/// </remarks>
string Action(UrlActionContext actionContext);
/// <summary>
@ -65,19 +74,36 @@ namespace Microsoft.AspNetCore.Mvc
/// Generates a URL with an absolute path, which contains the route name, route values, protocol to use, host
/// name, and fragment specified by <see cref="UrlRouteContext"/>. Generates an absolute URL if
/// <see cref="UrlActionContext.Protocol"/> and <see cref="UrlActionContext.Host"/> are non-<c>null</c>.
/// See the remarks section for important security information.
/// </summary>
/// <param name="routeContext">The context object for the generated URLs for a route.</param>
/// <returns>The generated URL.</returns>
/// <remarks>
/// <para>
/// The value of <see cref="UrlRouteContext.Host" /> should be a trusted value. Relying on the value of the current request
/// can allow untrusted input to influence the resulting URI unless the <c>Host</c> header has been validated.
/// See the deployment documentation for instructions on how to properly validate the <c>Host</c> header in
/// your deployment environment.
/// </para>
/// </remarks>
string RouteUrl(UrlRouteContext routeContext);
/// <summary>
/// Generates an absolute URL for the specified <paramref name="routeName"/> and route
/// <paramref name="values"/>, which contains the protocol (such as "http" or "https") and host name from the
/// current request.
/// current request. See the remarks section for important security information.
/// </summary>
/// <param name="routeName">The name of the route that is used to generate URL.</param>
/// <param name="values">An object that contains route values.</param>
/// <returns>The generated absolute URL.</returns>
/// <remarks>
/// <para>
/// This method uses the value of <see cref="HttpRequest.Host"/> to populate the host section of the generated URI.
/// Relying on the value of the current request can allow untrusted input to influence the resulting URI unless
/// the <c>Host</c> header has been validated. See the deployment documentation for instructions on how to properly
/// validate the <c>Host</c> header in your deployment environment.
/// </para>
/// </remarks>
string Link(string routeName, object values);
}
}

96
src/Microsoft.AspNetCore.Mvc.Core/UrlHelperExtensions.cs
Просмотреть файл

@ -2,9 +2,7 @@
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
using System;
using System.Diagnostics;
using Microsoft.AspNetCore.Mvc.Core;
using Microsoft.AspNetCore.Mvc.Internal;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc.Routing;
using Microsoft.AspNetCore.Routing;
@ -108,7 +106,7 @@ namespace Microsoft.AspNetCore.Mvc
/// <summary>
/// Generates a URL with an absolute path for an action method, which contains the specified
/// <paramref name="action"/> name, <paramref name="controller"/> name, route <paramref name="values"/>, and
/// <paramref name="protocol"/> to use.
/// <paramref name="protocol"/> to use. See the remarks section for important security information.
/// </summary>
/// <param name="helper">The <see cref="IUrlHelper"/>.</param>
/// <param name="action">The name of the action method.</param>
@ -116,6 +114,14 @@ namespace Microsoft.AspNetCore.Mvc
/// <param name="values">An object that contains route values.</param>
/// <param name="protocol">The protocol for the URL, such as "http" or "https".</param>
/// <returns>The generated URL.</returns>
/// <remarks>
/// <para>
/// This method uses the value of <see cref="HttpRequest.Host"/> to populate the host section of the generated URI.
/// Relying on the value of the current request can allow untrusted input to influence the resulting URI unless
/// the <c>Host</c> header has been validated. See the deployment documentation for instructions on how to properly
/// validate the <c>Host</c> header in your deployment environment.
/// </para>
/// </remarks>
public static string Action(
this IUrlHelper helper,
string action,
@ -136,7 +142,7 @@ namespace Microsoft.AspNetCore.Mvc
/// <paramref name="action"/> name, <paramref name="controller"/> name, route <paramref name="values"/>,
/// <paramref name="protocol"/> to use, and <paramref name="host"/> name.
/// Generates an absolute URL if the <paramref name="protocol"/> and <paramref name="host"/> are
/// non-<c>null</c>.
/// non-<c>null</c>. See the remarks section for important security information.
/// </summary>
/// <param name="helper">The <see cref="IUrlHelper"/>.</param>
/// <param name="action">The name of the action method.</param>
@ -145,6 +151,14 @@ namespace Microsoft.AspNetCore.Mvc
/// <param name="protocol">The protocol for the URL, such as "http" or "https".</param>
/// <param name="host">The host name for the URL.</param>
/// <returns>The generated URL.</returns>
/// <remarks>
/// <para>
/// The value of <paramref name="host"/> should be a trusted value. Relying on the value of the current request
/// can allow untrusted input to influence the resulting URI unless the <c>Host</c> header has been validated.
/// See the deployment documentation for instructions on how to properly validate the <c>Host</c> header in
/// your deployment environment.
/// </para>
/// </remarks>
public static string Action(
this IUrlHelper helper,
string action,
@ -166,7 +180,7 @@ namespace Microsoft.AspNetCore.Mvc
/// <paramref name="action"/> name, <paramref name="controller"/> name, route <paramref name="values"/>,
/// <paramref name="protocol"/> to use, <paramref name="host"/> name, and <paramref name="fragment"/>.
/// Generates an absolute URL if the <paramref name="protocol"/> and <paramref name="host"/> are
/// non-<c>null</c>.
/// non-<c>null</c>. See the remarks section for important security information.
/// </summary>
/// <param name="helper">The <see cref="IUrlHelper"/>.</param>
/// <param name="action">The name of the action method.</param>
@ -176,6 +190,14 @@ namespace Microsoft.AspNetCore.Mvc
/// <param name="host">The host name for the URL.</param>
/// <param name="fragment">The fragment for the URL.</param>
/// <returns>The generated URL.</returns>
/// <remarks>
/// <para>
/// The value of <paramref name="host"/> should be a trusted value. Relying on the value of the current request
/// can allow untrusted input to influence the resulting URI unless the <c>Host</c> header has been validated.
/// See the deployment documentation for instructions on how to properly validate the <c>Host</c> header in
/// your deployment environment.
/// </para>
/// </remarks>
public static string Action(
this IUrlHelper helper,
string action,
@ -253,13 +275,22 @@ namespace Microsoft.AspNetCore.Mvc
/// <summary>
/// Generates a URL with an absolute path for the specified route <paramref name="routeName"/> and route
/// <paramref name="values"/>, which contains the specified <paramref name="protocol"/> to use.
/// <paramref name="values"/>, which contains the specified <paramref name="protocol"/> to use. See the
/// remarks section for important security information.
/// </summary>
/// <param name="helper">The <see cref="IUrlHelper"/>.</param>
/// <param name="routeName">The name of the route that is used to generate URL.</param>
/// <param name="values">An object that contains route values.</param>
/// <param name="protocol">The protocol for the URL, such as "http" or "https".</param>
/// <returns>The generated URL.</returns>
/// <remarks>
/// <para>
/// This method uses the value of <see cref="HttpRequest.Host"/> to populate the host section of the generated URI.
/// Relying on the value of the current request can allow untrusted input to influence the resulting URI unless
/// the <c>Host</c> header has been validated. See the deployment documentation for instructions on how to properly
/// validate the <c>Host</c> header in your deployment environment.
/// </para>
/// </remarks>
public static string RouteUrl(
this IUrlHelper helper,
string routeName,
@ -279,6 +310,7 @@ namespace Microsoft.AspNetCore.Mvc
/// <paramref name="values"/>, which contains the specified <paramref name="protocol"/> to use and
/// <paramref name="host"/> name. Generates an absolute URL if
/// <see cref="UrlActionContext.Protocol"/> and <see cref="UrlActionContext.Host"/> are non-<c>null</c>.
/// See the remarks section for important security information.
/// </summary>
/// <param name="helper">The <see cref="IUrlHelper"/>.</param>
/// <param name="routeName">The name of the route that is used to generate URL.</param>
@ -286,6 +318,14 @@ namespace Microsoft.AspNetCore.Mvc
/// <param name="protocol">The protocol for the URL, such as "http" or "https".</param>
/// <param name="host">The host name for the URL.</param>
/// <returns>The generated URL.</returns>
/// <remarks>
/// <para>
/// The value of <paramref name="host"/> should be a trusted value. Relying on the value of the current request
/// can allow untrusted input to influence the resulting URI unless the <c>Host</c> header has been validated.
/// See the deployment documentation for instructions on how to properly validate the <c>Host</c> header in
/// your deployment environment.
/// </para>
/// </remarks>
public static string RouteUrl(
this IUrlHelper helper,
string routeName,
@ -306,6 +346,7 @@ namespace Microsoft.AspNetCore.Mvc
/// <paramref name="values"/>, which contains the specified <paramref name="protocol"/> to use,
/// <paramref name="host"/> name and <paramref name="fragment"/>. Generates an absolute URL if
/// <see cref="UrlActionContext.Protocol"/> and <see cref="UrlActionContext.Host"/> are non-<c>null</c>.
/// See the remarks section for important security information.
/// </summary>
/// <param name="helper">The <see cref="IUrlHelper"/>.</param>
/// <param name="routeName">The name of the route that is used to generate URL.</param>
@ -314,6 +355,14 @@ namespace Microsoft.AspNetCore.Mvc
/// <param name="host">The host name for the URL.</param>
/// <param name="fragment">The fragment for the URL.</param>
/// <returns>The generated URL.</returns>
/// <remarks>
/// <para>
/// The value of <paramref name="host"/> should be a trusted value. Relying on the value of the current request
/// can allow untrusted input to influence the resulting URI unless the <c>Host</c> header has been validated.
/// See the deployment documentation for instructions on how to properly validate the <c>Host</c> header in
/// your deployment environment.
/// </para>
/// </remarks>
public static string RouteUrl(
this IUrlHelper helper,
string routeName,
@ -382,7 +431,8 @@ namespace Microsoft.AspNetCore.Mvc
=> Page(urlHelper, pageName, pageHandler, values, protocol: null);
/// <summary>
/// Generates a URL with an absolute path for the specified <paramref name="pageName"/>.
/// Generates a URL with an absolute path for the specified <paramref name="pageName"/>. See the remarks section
/// for important security information.
/// </summary>
/// <param name="urlHelper">The <see cref="IUrlHelper"/>.</param>
/// <param name="pageName">The page name to generate the url for.</param>
@ -390,6 +440,14 @@ namespace Microsoft.AspNetCore.Mvc
/// <param name="values">An object that contains route values.</param>
/// <param name="protocol">The protocol for the URL, such as "http" or "https".</param>
/// <returns>The generated URL.</returns>
/// <remarks>
/// <para>
/// This method uses the value of <see cref="HttpRequest.Host"/> to populate the host section of the generated URI.
/// Relying on the value of the current request can allow untrusted input to influence the resulting URI unless
/// the <c>Host</c> header has been validated. See the deployment documentation for instructions on how to properly
/// validate the <c>Host</c> header in your deployment environment.
/// </para>
/// </remarks>
public static string Page(
this IUrlHelper urlHelper,
string pageName,
@ -399,7 +457,8 @@ namespace Microsoft.AspNetCore.Mvc
=> Page(urlHelper, pageName, pageHandler, values, protocol, host: null, fragment: null);
/// <summary>
/// Generates a URL with an absolute path for the specified <paramref name="pageName"/>.
/// Generates a URL with an absolute path for the specified <paramref name="pageName"/>. See the remarks section for
/// important security information.
/// </summary>
/// <param name="urlHelper">The <see cref="IUrlHelper"/>.</param>
/// <param name="pageName">The page name to generate the url for.</param>
@ -408,6 +467,14 @@ namespace Microsoft.AspNetCore.Mvc
/// <param name="protocol">The protocol for the URL, such as "http" or "https".</param>
/// <param name="host">The host name for the URL.</param>
/// <returns>The generated URL.</returns>
/// <remarks>
/// <para>
/// The value of <paramref name="host"/> should be a trusted value. Relying on the value of the current request
/// can allow untrusted input to influence the resulting URI unless the <c>Host</c> header has been validated.
/// See the deployment documentation for instructions on how to properly validate the <c>Host</c> header in
/// your deployment environment.
/// </para>
/// </remarks>
public static string Page(
this IUrlHelper urlHelper,
string pageName,
@ -418,7 +485,8 @@ namespace Microsoft.AspNetCore.Mvc
=> Page(urlHelper, pageName, pageHandler, values, protocol, host, fragment: null);
/// <summary>
/// Generates a URL with an absolute path for the specified <paramref name="pageName"/>.
/// Generates a URL with an absolute path for the specified <paramref name="pageName"/>. See the remarks section for
/// important security information.
/// </summary>
/// <param name="urlHelper">The <see cref="IUrlHelper"/>.</param>
/// <param name="pageName">The page name to generate the url for.</param>
@ -428,6 +496,14 @@ namespace Microsoft.AspNetCore.Mvc
/// <param name="host">The host name for the URL.</param>
/// <param name="fragment">The fragment for the URL.</param>
/// <returns>The generated URL.</returns>
/// <remarks>
/// <para>
/// The value of <paramref name="host"/> should be a trusted value. Relying on the value of the current request
/// can allow untrusted input to influence the resulting URI unless the <c>Host</c> header has been validated.
/// See the deployment documentation for instructions on how to properly validate the <c>Host</c> header in
/// your deployment environment.
/// </para>
/// </remarks>
public static string Page(
this IUrlHelper urlHelper,
string pageName,