Skip to content

Add some validation to UriBuilder.Host setter #121083

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
MihaZupan merged 3 commits into from
Nov 10, 2025
Merged

Add some validation to UriBuilder.Host setter #121083

MihaZupan merged 3 commits into from
Nov 10, 2025

Conversation

@MihaZupan
Copy link
Member

@MihaZupan MihaZupan commented Oct 24, 2025

Block inputs for the UriBuilder.Host setter that would "escape" the component.
Similar to #74953

This does intentionally break inputs like .Host = "host/path", "::]", user@host ...

@MihaZupan MihaZupan added this to the 11.0.0 milestone Oct 24, 2025
@MihaZupan MihaZupan self-assigned this Oct 24, 2025
@build-analysis build-analysis bot mentioned this pull request Oct 25, 2025
Closed
@MihaZupan MihaZupan mentioned this pull request Oct 30, 2025
Merged
This was referenced Nov 4, 2025
Open
Closed
@MihaZupan MihaZupan marked this pull request as ready for review November 5, 2025 16:38
Copilot AI review requested due to automatic review settings November 5, 2025 16:38
Copilot AI reviewed Nov 5, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances validation of host strings in UriBuilder to prevent malformed host inputs that could escape into other URI components. The changes add early validation to reject hosts containing problematic characters like /, ?, #, and @, while still supporting IPv6 addresses.

  • Adds a SearchValues set for efficiently detecting problematic characters in host strings
  • Implements validation logic to reject hosts with characters that could escape into path, query, or fragment components
  • Adds comprehensive test coverage for invalid host strings and their rejection behavior

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
src/libraries/System.Private.Uri/src/System/UriBuilder.cs Adds s_hostReservedChars SearchValues and implements enhanced host validation logic with special handling for IPv6 addresses
src/libraries/System.Private.Uri/tests/FunctionalTests/UriBuilderTests.cs Removes test cases with malformed IPv6 syntax, adds test for valid IPv6 zone ID, and adds comprehensive test coverage for invalid host strings

This was referenced Nov 5, 2025
Open
Open
Open
This was referenced Nov 6, 2025
Open
Open
@build-analysis build-analysis bot mentioned this pull request Nov 7, 2025
Open
3 tasks
@MihaZupan
Copy link
Member Author

MihaZupan commented Nov 10, 2025

/ba-g Failures are android timeouts

@MihaZupan MihaZupan merged commit 6a393a5 into dotnet:main Nov 10, 2025
69 of 87 checks passed
@dotnet-maestro dotnet-maestro bot mentioned this pull request Nov 11, 2025
Merged
@MihaZupan MihaZupan mentioned this pull request Nov 26, 2025
Merged
@MihaZupan MihaZupan added breaking-change Issue or PR that represents a breaking API or functional change over a previous release. needs-breaking-change-doc-created Breaking changes need an issue opened with https://github.com/dotnet/docs/issues/new?template=dotnet labels Nov 26, 2025
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Nov 26, 2025

Added needs-breaking-change-doc-created label because this PR has the breaking-change label.

When you commit this breaking change:

  1. Create and link to this PR and the issue a matching issue in the dotnet/docs repo using the breaking change documentation template, then remove this needs-breaking-change-doc-created label.
  2. Ask a committer to mail the .NET Breaking Change Notification DL.

Tagging @dotnet/compat for awareness of the breaking change.

@github-actions github-actions bot locked and limited conversation to collaborators Dec 27, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

@rzikm rzikm rzikm approved these changes

Assignees

@MihaZupan MihaZupan

Labels

area-System.Net breaking-change Issue or PR that represents a breaking API or functional change over a previous release. needs-breaking-change-doc-created Breaking changes need an issue opened with https://github.com/dotnet/docs/issues/new?template=dotnet

Projects

None yet

Milestone

11.0.0

Development

Successfully merging this pull request may close these issues.

2 participants

@MihaZupan @rzikm