[Archived] HTTP abstractions such as HttpRequest, HttpResponse, and HttpContext, as well as common web utilities. Project moved to https://github.com/aspnet/AspNetCore
Apache License 2.0
382
stars
193
forks
source link
Do not throw a null reference from request.GetDisplayUrl() #1057
This is based on a customer bug. It is possible for a middleware and other participants in the request pipeline to modify things like properties of the request (i.e. PathBase).
Then, when request.GetDisplayUrl() is called on the same request, there are no null checks on the request properties needed to compute the URL, which in extreme cases causes it to throw an unhandled exception.
One example of running into this, is a following middleware.
When issuing a request without x-forwarded-prefix that then calls into request.GetDisplayUrl(), we get a null ref.
While in this case it can be argued that the middleware should validate what it is actually doing, in general I don't think a framework method like request.GetDisplayName() should ever throw a null reference.
Tratcher
commented
6 years ago
This is based on a customer bug. It is possible for a middleware and other participants in the request pipeline to modify things like properties of the request (i.e.
PathBase). Then, whenrequest.GetDisplayUrl()is called on the same request, there are no null checks on the request properties needed to compute the URL, which in extreme cases causes it to throw an unhandled exception.One example of running into this, is a following middleware.
When issuing a request without
x-forwarded-prefixthat then calls intorequest.GetDisplayUrl(), we get a null ref.While in this case it can be argued that the middleware should validate what it is actually doing, in general I don't think a framework method like
request.GetDisplayName()should ever throw a null reference.