From 2d4fd05adf6d675704371f4539a31af5260c0f4e Mon Sep 17 00:00:00 2001 From: James Newton-King Date: Sat, 27 Jul 2019 15:39:25 +1200 Subject: [PATCH] Add host caution to MVC GetUri extension methods (#12629) --- .../Routing/ControllerLinkGeneratorExtensions.cs | 16 ++++++++++++++++ .../src/Routing/PageLinkGeneratorExtensions.cs | 16 ++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/src/Mvc/Mvc.Core/src/Routing/ControllerLinkGeneratorExtensions.cs b/src/Mvc/Mvc.Core/src/Routing/ControllerLinkGeneratorExtensions.cs index fb02fae6f4..d15eaef020 100644 --- a/src/Mvc/Mvc.Core/src/Routing/ControllerLinkGeneratorExtensions.cs +++ b/src/Mvc/Mvc.Core/src/Routing/ControllerLinkGeneratorExtensions.cs @@ -138,6 +138,14 @@ namespace Microsoft.AspNetCore.Routing /// names from RouteOptions. /// /// A absolute URI, or null if a URI cannot be created. + /// + /// + /// The value of should be a trusted value. Relying on the value of the current request + /// can allow untrusted input to influence the resulting URI unless the Host header has been validated. + /// See the deployment documentation for instructions on how to properly validate the Host header in + /// your deployment environment. + /// + /// public static string GetUriByAction( this LinkGenerator generator, HttpContext httpContext, @@ -189,6 +197,14 @@ namespace Microsoft.AspNetCore.Routing /// names from RouteOptions. /// /// A absolute URI, or null if a URI cannot be created. + /// + /// + /// The value of should be a trusted value. Relying on the value of the current request + /// can allow untrusted input to influence the resulting URI unless the Host header has been validated. + /// See the deployment documentation for instructions on how to properly validate the Host header in + /// your deployment environment. + /// + /// public static string GetUriByAction( this LinkGenerator generator, string action, diff --git a/src/Mvc/Mvc.Core/src/Routing/PageLinkGeneratorExtensions.cs b/src/Mvc/Mvc.Core/src/Routing/PageLinkGeneratorExtensions.cs index 032831560b..f1725f2fe0 100644 --- a/src/Mvc/Mvc.Core/src/Routing/PageLinkGeneratorExtensions.cs +++ b/src/Mvc/Mvc.Core/src/Routing/PageLinkGeneratorExtensions.cs @@ -135,6 +135,14 @@ namespace Microsoft.AspNetCore.Routing /// names from RouteOptions. /// /// A absolute URI, or null if a URI cannot be created. + /// + /// + /// The value of should be a trusted value. Relying on the value of the current request + /// can allow untrusted input to influence the resulting URI unless the Host header has been validated. + /// See the deployment documentation for instructions on how to properly validate the Host header in + /// your deployment environment. + /// + /// public static string GetUriByPage( this LinkGenerator generator, HttpContext httpContext, @@ -186,6 +194,14 @@ namespace Microsoft.AspNetCore.Routing /// names from RouteOptions. /// /// A absolute URI, or null if a URI cannot be created. + /// + /// + /// The value of should be a trusted value. Relying on the value of the current request + /// can allow untrusted input to influence the resulting URI unless the Host header has been validated. + /// See the deployment documentation for instructions on how to properly validate the Host header in + /// your deployment environment. + /// + /// public static string GetUriByPage( this LinkGenerator generator, string page,