You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: xml/System/Uri.xml
+30-3Lines changed: 30 additions & 3 deletions
Original file line number
Diff line number
Diff line change
@@ -188,6 +188,36 @@ Uri uri1 = new Uri("C:/test/path/file.txt") // Implicit file path.
188
188
Uri uri2 = new Uri("file:///C:/test/path/file.txt") // Explicit file path.
189
189
```
190
190
These implicit file paths are not compliant with the URI specification and so should be avoided when possible. When using .NET Core on Unix-based systems, implicit file paths can be especially problematic, because an absolute implicit file path is *indistinguishable* from a relative path. When such ambiguity is present, <xref:System.Uri> default to interpreting the path as an absolute URI.
191
+
192
+
## Security Considerations
193
+
194
+
Because of security concerns, your application should use caution when accepting <xref:System.Uri> instances from untrusted sources and with `dontEscape` set to `true` in the [constructor](xref:System.Uri.%23ctor(System.String,System.Boolean)). You can check a URI string for validity by calling the <xref:System.Uri.IsWellFormedOriginalString%2A> method.
195
+
196
+
When dealing with untrusted user input, confirm assumptions about the newly created `Uri` instance before trusting its properties.
197
+
This can be done in the following way:
198
+
199
+
```csharp
200
+
string userInput = ...;
201
+
202
+
Uri baseUri = new Uri("https://myWebsite/files/");
203
+
204
+
if (!Uri.TryCreate(baseUri, userInput, out Uri newUri))
205
+
{
206
+
// Fail: invalid input.
207
+
}
208
+
209
+
if (!baseUri.IsBaseOf(newUri))
210
+
{
211
+
// Fail: the Uri base has been modified - the created Uri is not rooted in the original directory.
212
+
}
213
+
```
214
+
215
+
This validation can be used in other cases, like when dealing with UNC paths, by simply changing the `baseUri`:
216
+
217
+
```csharp
218
+
Uri baseUri = new Uri(@"\\host\share\some\directory\name\");
219
+
```
220
+
191
221
192
222
## Performance Considerations
193
223
If you use a *Web.config *file that contains URIs to initialize your application, additional time is required to process the URIs if their scheme identifiers are nonstandard. In such a case, initialize the affected parts of your application when the URIs are needed, not at start time.
@@ -203,9 +233,6 @@ Uri uri2 = new Uri("file:///C:/test/path/file.txt") // Explicit file path.
203
233
204
234
]]></format>
205
235
</remarks>
206
-
<blocksubset="none"type="usage">
207
-
<para>Because of security concerns, your application should use caution when accepting <seecref="T:System.Uri" /> instances from untrusted sources and with <paramrefname="dontEscape" /> set to <seelangword="true" />.You can check a URI string for validity by calling the <seecref="M:System.Uri.IsWellFormedOriginalString" /> method.</para>
0 commit comments