Merge fix for Bug 418620 - Sys.Web is prone to "HTTP header injection"mono-1.9.1.1

attacks

svn path=/branches/mono-1-9-1-1/mcs/; revision=111276

4 files changed, 64 insertions, 2 deletions

diff --git a/mcs/class/System.Web/System.Web.Configuration/ChangeLog b/mcs/class/System.Web/System.Web.Configuration/ChangeLog
index 818436edf34..b51712504f9 100644
--- a/mcs/class/System.Web/System.Web.Configuration/ChangeLog
+++ b/mcs/class/System.Web/System.Web.Configuration/ChangeLog
@@ -1,3 +1,9 @@
+2008-08-20  Marek Habersack  <mhabersack@novell.com>
+
+	* HttpRuntimeConfig.cs: implemented the undocumented (but
+	supported in .NET 1.1) option EnableHeaderChecking to support fix
+	for bug #416620
+
 2008-02-28  Marek Habersack  <mhabersack@novell.com>
 
 	* HandlerFactoryConfiguration.cs: ignore case when matching
diff --git a/mcs/class/System.Web/System.Web.Configuration/HttpRuntimeConfig.cs b/mcs/class/System.Web/System.Web.Configuration/HttpRuntimeConfig.cs
index 88c1405f8ea..b2b7f77ed2d 100644
--- a/mcs/class/System.Web/System.Web.Configuration/HttpRuntimeConfig.cs
+++ b/mcs/class/System.Web/System.Web.Configuration/HttpRuntimeConfig.cs
@@ -55,7 +55,8 @@ namespace System.Web.Configuration
 		public int IdleTimeout = 20; // minutes
 		public bool Enable = true;
 		public string VersionHeader;
-
+		public bool EnableHeaderChecking = true;
+		
 		/* Only the config. handler should create instances of this. Use GetInstance (context) */
 		public HttpRuntimeConfig (object p)
 		{
@@ -92,6 +93,7 @@ namespace System.Web.Configuration
 			RequireRootSaveAsPath = parent.RequireRootSaveAsPath;
 			IdleTimeout = parent.IdleTimeout;
 			Enable = parent.Enable;
+			EnableHeaderChecking = parent.EnableHeaderChecking;
 		}
 	}
 }
diff --git a/mcs/class/System.Web/System.Web/ChangeLog b/mcs/class/System.Web/System.Web/ChangeLog
index f4a311a5a4f..d1950416c49 100644
--- a/mcs/class/System.Web/System.Web/ChangeLog
+++ b/mcs/class/System.Web/System.Web/ChangeLog
@@ -1,3 +1,9 @@
+2008-08-20  Marek Habersack  <mhabersack@novell.com>
+
+	* HttpResponseHeader.cs: encode header values if
+	httpRuntime.enableHeaderChecking is true (default). Fixes bug
+	#418620
+
 2008-04-15  Kornél Pál  <kornelpal@gmail.com>
 
 	* HttpRuntime.cs: Don't add Date header for error pages either. Fixes bug
diff --git a/mcs/class/System.Web/System.Web/HttpResponseHeader.cs b/mcs/class/System.Web/System.Web/HttpResponseHeader.cs
index 82e30af95db..5f34ec4d392 100644
--- a/mcs/class/System.Web/System.Web/HttpResponseHeader.cs
+++ b/mcs/class/System.Web/System.Web/HttpResponseHeader.cs
@@ -30,17 +30,65 @@
 
 using System.Collections;
 using System.Text;
+using System.Web.Configuration;
 
 namespace System.Web {
 
 	internal abstract class BaseResponseHeader {
-		public string Value;
+		string headerValue;
+		
+		public string Value {
+			get { return headerValue; }
+			set { headerValue = EncodeHeader (value); }
+		}
 	  
+		static bool headerCheckingEnabled;
+		
+		static BaseResponseHeader () {
+#if NET_2_0
+			HttpRuntimeSection section = WebConfigurationManager.GetSection ("system.web/httpRuntime") as HttpRuntimeSection;
+#else
+			HttpRuntimeConfig section = HttpContext.GetAppConfig ("system.web/httpRuntime") as HttpRuntimeConfig;
+#endif
+			headerCheckingEnabled = section == null || section.EnableHeaderChecking;
+		}
+
+
 		internal BaseResponseHeader (string val)
 		{
 			Value = val;
 		}
 
+		string EncodeHeader (string value)
+		{
+			if (value == null || value.Length == 0)
+				return value;
+			
+			if (headerCheckingEnabled) {
+				StringBuilder ret = new StringBuilder ();
+				int len = value.Length;
+
+				for (int i = 0; i < len; i++) {
+					switch (value [i]) {
+						case '\r':
+							ret.Append ("%0d");
+							break;
+
+						case '\n':
+							ret.Append ("%0a");
+							break;
+
+						default:
+							ret.Append (value [i]);
+							break;
+					}
+				}
+
+				return ret.ToString ();
+			} else
+				return value;
+		}
+		
 		internal abstract void SendContent (HttpWorkerRequest wr);
 	}