Allow leading CR/LF in HTTP request lines in Kestrel. (#40859)

Author: adityamandaleeka

src/Servers/Kestrel/Core/src/Internal/Http/HttpParser.cs

@@ -38,6 +38,14 @@ public HttpParser(bool showErrorDetails)
 
         public bool ParseRequestLine(TRequestHandler handler, ref SequenceReader<byte> reader)
         {
+            // Skip any leading \r or \n on the request line. This is not technically allowed,
+            // but apparently there are enough clients relying on this that it's worth allowing.
+            // Peek first as a minor performance optimization; it's a quick inlined check.
+            if (reader.TryPeek(out byte b) && (b == ByteCR || b == ByteLF))
+            {
+                reader.AdvancePastAny(ByteCR, ByteLF);
+            }
+
             if (reader.TryReadTo(out ReadOnlySpan<byte> requestLine, ByteLF, advancePastDelimiter: true))
             {
                 ParseRequestLine(handler, requestLine);

src/Servers/Kestrel/Core/test/StartLineTests.cs

@@ -6,6 +6,7 @@
 using System.IO.Pipelines;
 using System.Text;
 using Microsoft.AspNetCore.Connections;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.Features;
 using Microsoft.AspNetCore.Server.Kestrel.Core;
 using Microsoft.AspNetCore.Server.Kestrel.Core.Internal;
@@ -516,6 +517,55 @@ public void AuthorityForms(string rawTarget, string path, string query)
             DifferentFormsWorkTogether();
         }
 
+        public static IEnumerable<object[]> GetCrLfAndMethodCombinations()
+        {
+            // HTTP methods to test
+            var methods = new string[] {
+                HttpMethods.Connect,
+                HttpMethods.Delete,
+                HttpMethods.Get,
+                HttpMethods.Head,
+                HttpMethods.Options,
+                HttpMethods.Patch,
+                HttpMethods.Post,
+                HttpMethods.Put,
+                HttpMethods.Trace
+            };
+
+            // Prefixes to test
+            var crLfPrefixes = new string[] {
+                "\r",
+                "\n",
+                "\r\r\r\r\r",
+                "\r\n",
+                "\n\r"
+            };
+
+            foreach (var method in methods)
+            {
+                foreach (var prefix in crLfPrefixes)
+                {
+                    yield return new object[] { prefix, method };
+                }
+            }
+        }
+
+        [Theory]
+        [MemberData(nameof(GetCrLfAndMethodCombinations))]
+        public void LeadingCrLfAreAllowed(string startOfRequestLine, string httpMethod)
+        {
+            var rawTarget = "http://localhost/path1?q=123&w=xyzw";
+            Http1Connection.Reset();
+            // RawTarget, Path, QueryString are null after reset
+            Assert.Null(Http1Connection.RawTarget);
+            Assert.Null(Http1Connection.Path);
+            Assert.Null(Http1Connection.QueryString);
+
+            var ros = new ReadOnlySequence<byte>(Encoding.ASCII.GetBytes($"{startOfRequestLine}{httpMethod} {rawTarget} HTTP/1.1\r\n"));
+            var reader = new SequenceReader<byte>(ros);
+            Assert.True(Parser.ParseRequestLine(ParsingHandler, ref reader));
+        }
+
         public StartLineTests()
         {
             MemoryPool = PinnedBlockMemoryPoolFactory.Create();