Merge commit '509f6badec2f3162f0e50330cd9107e5624b379b' into internal-merge-3.1-2022-03-08-1129

Author: vseanreesermsft

NuGet.config

@@ -4,14 +4,19 @@
     <clear />
     <!--Begin: Package sources managed by Dependency Flow automation. Do not edit the sources below.-->
     <!--  Begin: Package sources from dotnet-razor-tooling -->
+    <add key="darc-int-dotnet-razor-tooling-39d9ee3" value="https://pkgs.dev.azure.com/dnceng/_packaging/darc-int-dotnet-razor-tooling-39d9ee3c/nuget/v3/index.json" />
     <!--  End: Package sources from dotnet-razor-tooling -->
     <!--  Begin: Package sources from dotnet-corefx -->
+    <add key="darc-int-dotnet-corefx-641ee87" value="https://pkgs.dev.azure.com/dnceng/_packaging/darc-int-dotnet-corefx-641ee87b/nuget/v3/index.json" />
     <!--  End: Package sources from dotnet-corefx -->
     <!--  Begin: Package sources from dotnet-core-setup -->
+    <add key="darc-int-dotnet-core-setup-7af614f" value="https://pkgs.dev.azure.com/dnceng/_packaging/darc-int-dotnet-core-setup-7af614fd/nuget/v3/index.json" />
     <!--  End: Package sources from dotnet-core-setup -->
     <!--  Begin: Package sources from dotnet-efcore -->
+    <add key="darc-int-dotnet-efcore-213c56e" value="https://pkgs.dev.azure.com/dnceng/_packaging/darc-int-dotnet-efcore-213c56ea/nuget/v3/index.json" />
     <!--  End: Package sources from dotnet-efcore -->
     <!--  Begin: Package sources from dotnet-extensions -->
+    <add key="darc-int-dotnet-extensions-8934ddb" value="https://pkgs.dev.azure.com/dnceng/_packaging/darc-int-dotnet-extensions-8934ddbf/nuget/v3/index.json" />
     <!--  End: Package sources from dotnet-extensions -->
     <!--End: Package sources managed by Dependency Flow automation. Do not edit the sources above.-->
     <add key="dotnet-eng" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json" />
@@ -23,14 +28,19 @@
     <clear />
     <!--Begin: Package sources managed by Dependency Flow automation. Do not edit the sources below.-->
     <!--  Begin: Package sources from dotnet-razor-tooling -->
+    <add key="darc-int-dotnet-razor-tooling-39d9ee3" value="true" />
     <!--  End: Package sources from dotnet-razor-tooling -->
     <!--  Begin: Package sources from dotnet-extensions -->
+    <add key="darc-int-dotnet-extensions-8934ddb" value="true" />
     <!--  End: Package sources from dotnet-extensions -->
     <!--  Begin: Package sources from dotnet-efcore -->
+    <add key="darc-int-dotnet-efcore-213c56e" value="true" />
     <!--  End: Package sources from dotnet-efcore -->
     <!--  Begin: Package sources from dotnet-core-setup -->
+    <add key="darc-int-dotnet-core-setup-7af614f" value="true" />
     <!--  End: Package sources from dotnet-core-setup -->
     <!--  Begin: Package sources from dotnet-corefx -->
+    <add key="darc-int-dotnet-corefx-641ee87" value="true" />
     <!--  End: Package sources from dotnet-corefx -->
     <!--End: Package sources managed by Dependency Flow automation. Do not edit the sources above.-->
   </disabledPackageSources>

eng/Version.Details.xml

@@ -46,4 +46,19 @@ public void MoveTo(System.IO.Stream stream) { }
         [System.Diagnostics.DebuggerStepThroughAttribute]
         public System.Threading.Tasks.Task MoveToAsync(System.IO.Stream stream, System.Threading.CancellationToken cancellationToken) { throw null; }
     }
+
+    internal static partial class Resources
+    {
+        internal static System.Globalization.CultureInfo Culture { [System.Runtime.CompilerServices.CompilerGeneratedAttribute]get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute]set { } }
+        internal static string FormPipeReader_KeyOrValueTooLarge { get { throw null; } }
+        internal static string HttpRequestStreamReader_StreamNotReadable { get { throw null; } }
+        internal static string HttpResponseStreamWriter_StreamNotWritable { get { throw null; } }
+        internal static System.Resources.ResourceManager ResourceManager { get { throw null; } }
+        internal static string FormPipeReader_KeyTooLarge(object p0) { throw null; }
+        internal static string FormPipeReader_ValueTooLarge(object p0) { throw null; }
+        internal static string WebEncoders_InvalidCountOffsetOrLength(object p0, object p1, object p2) { throw null; }
+
+        [System.Runtime.CompilerServices.MethodImpl(System.Runtime.CompilerServices.MethodImplOptions.AggressiveInlining)]
+        internal static string GetResourceString(string resourceKey, string defaultValue = null) { throw null; }
+    }
 }

eng/Versions.props

@@ -5,6 +5,7 @@
 using System.Buffers;
 using System.Collections.Generic;
 using System.Diagnostics;
+using System.Globalization;
 using System.IO;
 using System.IO.Pipelines;
 using System.Runtime.CompilerServices;
@@ -98,7 +99,7 @@ public async Task<Dictionary<string, StringValues>> ReadFormAsync(CancellationTo
                     }
                     catch
                     {
-                        _pipeReader.AdvanceTo(buffer.Start);
+                        _pipeReader.AdvanceTo(buffer.Start, buffer.End);
                         throw;
                     }
                 }
@@ -244,7 +245,8 @@ private void ParseValuesSlow(
                     if (!isFinalBlock)
                     {
                         // Don't buffer indefinately
-                        if ((uint)(sequenceReader.Consumed - consumedBytes) > (uint)KeyLengthLimit + (uint)ValueLengthLimit)
+                        // +2 to account for '&' and '='
+                        if ((sequenceReader.Length - consumedBytes) > (long)KeyLengthLimit + (long)ValueLengthLimit + 2) 
                         {
                             ThrowKeyOrValueTooLargeException();
                         }
@@ -308,17 +310,30 @@ private void ParseValuesSlow(
 
         private void ThrowKeyOrValueTooLargeException()
         {
-            throw new InvalidDataException($"Form key length limit {KeyLengthLimit} or value length limit {ValueLengthLimit} exceeded.");
+            throw new InvalidDataException(
+                string.Format(
+                    CultureInfo.CurrentCulture,
+                    Resources.FormPipeReader_KeyOrValueTooLarge,
+                    KeyLengthLimit,
+                    ValueLengthLimit));
         }
 
         private void ThrowKeyTooLargeException()
         {
-            throw new InvalidDataException($"Form key length limit {KeyLengthLimit} exceeded.");
+            throw new InvalidDataException(
+                string.Format(
+                    CultureInfo.CurrentCulture,
+                    Resources.FormPipeReader_KeyTooLarge,
+                    KeyLengthLimit));
         }
 
         private void ThrowValueTooLargeException()
         {
-            throw new InvalidDataException($"Form value length limit {ValueLengthLimit} exceeded.");
+            throw new InvalidDataException(
+                string.Format(
+                    CultureInfo.CurrentCulture,
+                    Resources.FormPipeReader_ValueTooLarge,
+                    ValueLengthLimit));
         }
 
         private string GetDecodedStringFromReadOnlySequence(in ReadOnlySequence<byte> ros)

src/Http/WebUtilities/ref/Microsoft.AspNetCore.WebUtilities.Manual.cs

@@ -1,17 +1,17 @@
 <?xml version="1.0" encoding="utf-8"?>
 <root>
-  <!--
-    Microsoft ResX Schema
-
+  <!-- 
+    Microsoft ResX Schema 
+    
     Version 2.0
-
-    The primary goals of this format is to allow a simple XML format
-    that is mostly human readable. The generation and parsing of the
-    various data types are done through the TypeConverter classes
+    
+    The primary goals of this format is to allow a simple XML format 
+    that is mostly human readable. The generation and parsing of the 
+    various data types are done through the TypeConverter classes 
     associated with the data types.
-
+    
     Example:
-
+    
     ... ado.net/XML headers & schema ...
     <resheader name="resmimetype">text/microsoft-resx</resheader>
     <resheader name="version">2.0</resheader>
@@ -26,36 +26,36 @@
         <value>[base64 mime encoded string representing a byte array form of the .NET Framework object]</value>
         <comment>This is a comment</comment>
     </data>
-
-    There are any number of "resheader" rows that contain simple
+                
+    There are any number of "resheader" rows that contain simple 
     name/value pairs.
-
-    Each data row contains a name, and value. The row also contains a
-    type or mimetype. Type corresponds to a .NET class that support
-    text/value conversion through the TypeConverter architecture.
-    Classes that don't support this are serialized and stored with the
+    
+    Each data row contains a name, and value. The row also contains a 
+    type or mimetype. Type corresponds to a .NET class that support 
+    text/value conversion through the TypeConverter architecture. 
+    Classes that don't support this are serialized and stored with the 
     mimetype set.
-
-    The mimetype is used for serialized objects, and tells the
-    ResXResourceReader how to depersist the object. This is currently not
+    
+    The mimetype is used for serialized objects, and tells the 
+    ResXResourceReader how to depersist the object. This is currently not 
     extensible. For a given mimetype the value must be set accordingly:
-
-    Note - application/x-microsoft.net.object.binary.base64 is the format
-    that the ResXResourceWriter will generate, however the reader can
+    
+    Note - application/x-microsoft.net.object.binary.base64 is the format 
+    that the ResXResourceWriter will generate, however the reader can 
     read any of the formats listed below.
-
+    
     mimetype: application/x-microsoft.net.object.binary.base64
-    value   : The object must be serialized with
+    value   : The object must be serialized with 
             : System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
             : and then encoded with base64 encoding.
-
+    
     mimetype: application/x-microsoft.net.object.soap.base64
-    value   : The object must be serialized with
+    value   : The object must be serialized with 
             : System.Runtime.Serialization.Formatters.Soap.SoapFormatter
             : and then encoded with base64 encoding.
 
     mimetype: application/x-microsoft.net.object.bytearray.base64
-    value   : The object must be serialized into a byte array
+    value   : The object must be serialized into a byte array 
             : using a System.ComponentModel.TypeConverter
             : and then encoded with base64 encoding.
     -->
@@ -117,6 +117,15 @@
   <resheader name="writer">
     <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
   </resheader>
+  <data name="FormPipeReader_KeyOrValueTooLarge" xml:space="preserve">
+    <value>Form key length limit {0} or value length limit {1} exceeded.</value>
+  </data>
+  <data name="FormPipeReader_KeyTooLarge" xml:space="preserve">
+    <value>Form key length limit {0} exceeded.</value>
+  </data>
+  <data name="FormPipeReader_ValueTooLarge" xml:space="preserve">
+    <value>Form value length limit {0} exceeded.</value>
+  </data>
   <data name="HttpRequestStreamReader_StreamNotReadable" xml:space="preserve">
     <value>The stream must support reading.</value>
   </data>

src/Http/WebUtilities/src/FormPipeReader.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Buffers;
 using System.Collections.Generic;
+using System.Globalization;
 using System.IO;
 using System.IO.Pipelines;
 using System.Text;
@@ -178,6 +179,34 @@ public async Task ReadFormAsync_ValueLengthLimitExceeded_Throw()
             Assert.Equal(Encoding.UTF8.GetBytes(content), readResult.Buffer.ToArray());
         }
 
+        [Fact]
+        public void ReadFormAsync_ChunkedDataNoDelimiter_ThrowsEarly()
+        {
+            byte[] bytes = CreateBytes_NoDelimiter((10 * 1024) +2);
+            var readOnlySequence = ReadOnlySequenceFactory.SegmentPerByteFactory.CreateWithContent(bytes);
+
+            KeyValueAccumulator accumulator = default;
+
+            var valueLengthLimit = 1024;
+            var keyLengthLimit = 10;
+
+            var formReader = new FormPipeReader(null!)
+            {
+                ValueLengthLimit = valueLengthLimit,
+                KeyLengthLimit = keyLengthLimit
+            };
+
+            var exception = Assert.Throws<InvalidDataException>(
+                () => formReader.ParseFormValues(ref readOnlySequence, ref accumulator, isFinalBlock: false));
+            // Make sure that FormPipeReader throws an exception after hitting KeyLengthLimit + ValueLengthLimit,
+            // Rather than after reading the entire request.
+            Assert.Equal(string.Format(
+                CultureInfo.CurrentCulture,
+                Resources.FormPipeReader_KeyOrValueTooLarge,
+                keyLengthLimit,
+                valueLengthLimit), exception.Message);
+        }
+
         // https://en.wikipedia.org/wiki/Percent-encoding
         [Theory]
         [InlineData("++=hello", "  ", "hello")]
@@ -569,5 +598,17 @@ private static async Task<PipeReader> MakePipeReader(string text)
             bodyPipe.Writer.Complete();
             return bodyPipe.Reader;
         }
+
+        private static byte[] CreateBytes_NoDelimiter(int n)
+        {
+            //Create the bytes of "key=vvvvvvvv....", of length n
+            var keyValue = new char[n];
+            Array.Fill(keyValue, 'v');
+            keyValue[0] = 'k';
+            keyValue[1] = 'e';
+            keyValue[2] = 'y';
+            keyValue[3] = '=';
+            return Encoding.UTF8.GetBytes(keyValue);
+        }
     }
 }

src/Http/WebUtilities/src/Resources.resx

@@ -227,4 +227,4 @@ private static Stream MakeStream(bool bufferRequest, string text)
             return body;
         }
     }
-}
+}