Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

forbid http request with invalid version #102423

Merged
merged 9 commits into from
Jun 3, 2024
Merged

forbid http request with invalid version #102423

merged 9 commits into from
Jun 3, 2024

Conversation

pedrobsaila
Copy link
Contributor

Fixes #72185

@dotnet-policy-service dotnet-policy-service bot added the community-contribution Indicates that the PR has been added by a community member label May 19, 2024
huoyaoyuan
huoyaoyuan reviewed May 20, 2024
View reviewed changes
src/libraries/System.Net.Http/src/System/Net/Http/HttpRequestMessage.cs Outdated
Comment on lines 43 to 47
if (value != HttpVersion.Version10 && value != HttpVersion.Version11 && value != HttpVersion.Version20 && value != HttpVersion.Version30)
{
throw new ArgumentOutOfRangeException(nameof(value), SR.net_http_request_invalid_version);
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it extensible for future? What if a third-party http client implementation that accepts higher versions?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it extensible for future?

What do you mean by extensible ? Is it handling new versions as they come off ? or giving users an api so they choose the versions they want ?

What if a third-party http client implementation that accepts higher versions?

See #72185 (comment)

Question is whether that could break someone. For instance, someone asking for 2.5 and getting HTTP/2.

If we'd chose to go the strict way, we should probably get it in early in the release to see if someone gets borked by it.

This change is made as an experiment, it will probably be rolled back if people complain about it

Copy link
Contributor

@hez2010 hez2010 May 20, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it handling new versions as they come off ? or giving users an api so they choose the versions they want ?

HttpRequestMessage is decoupled from HttpClient and can be used by others as well. I can assume when a new HTTP version comes out in the future there will be some 3rd implementations using the HttpRequestMessage, but this change will block them reusing the built-in type.

There isn't any restriction that doesn't allow users to create a HttpRequestMessage with unknown versions.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you prefer doing validation higher in HttpClient.Send methods or below the stack in Socket/Connection Handlers ?

Copy link
Member

@ManickaP ManickaP May 27, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, this should be handled at the specific handler level. You can check out

runtime/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/ConnectionPool/HttpConnectionPool.cs

Line 399 in 0588f24

public async ValueTask<HttpResponseMessage> SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, bool async, bool doRequestAuth, CancellationToken cancellationToken)
for Sockets handler.

ManickaP
ManickaP approved these changes May 30, 2024
View reviewed changes
Copy link
Member

@ManickaP ManickaP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you. This might be considered breaking change, since we were much more lenient before and now it might throw for some people.

@ManickaP
Copy link
Member

@dotnet/ncl Any concerns here? Or can we merge?

@antonfirsov
Copy link
Member

/azp run runtime-libraries-coreclr outerloop

(just in case)

@azure-pipelines Azure Pipelines
Copy link

No pipelines are associated with this pull request.

@antonfirsov
Copy link
Member

/azp run runtime-libraries-coreclr outerloop

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@ManickaP
Copy link
Member

ManickaP commented Jun 3, 2024

Outerloop failures are unrelated and being handled in #102986

@ManickaP ManickaP merged commit 6dabbd1 into dotnet:main Jun 3, 2024
83 of 91 checks passed
@pedrobsaila pedrobsaila deleted the 72185 branch June 3, 2024 12:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@huoyaoyuan huoyaoyuan huoyaoyuan left review comments

@hez2010 hez2010 hez2010 left review comments

@ManickaP ManickaP ManickaP approved these changes

Assignees
No one assigned
Labels
area-System.Net.Http community-contribution Indicates that the PR has been added by a community member
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Request with HttpVersion > 3 and RequestVersionOrHigher policy sent as H/3 request
5 participants
@pedrobsaila @ManickaP @antonfirsov @huoyaoyuan @hez2010