huahaofeng
/
aspnetcore
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[Blazor][Fixes #15399]The Blazor descriptor can contain two consecutive dashes (#15412) 

* We Base64 encode the descriptor instead of Base64Url encode it as data protection does with its string overload.
* It uses "+/" instead of "-_", both of which are safe inside HTML
  comments.
* The descriptors are not sent in any url, nor are present inside headers
  or similar, so Base64 encoding them is fine.
This commit is contained in:
Javier Calvarro Nelson 2019-10-28 10:59:43 +01:00 committed by GitHub
parent bf846cb845
commit c94b2dd061
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/Components/Server/src/Circuits/ServerComponentDeserializer.cs
View File

@ -3,6 +3,7 @@
using System;
using System.Collections.Generic;
using System.Text;
using System.Text.Json;
using Microsoft.AspNetCore.DataProtection;
using Microsoft.Extensions.Logging;
@ -153,7 +154,9 @@ namespace Microsoft.AspNetCore.Components.Server
string unprotected;
try
{
unprotected = _dataProtector.Unprotect(record.Descriptor);
var payload = Convert.FromBase64String(record.Descriptor);
var unprotectedBytes = _dataProtector.Unprotect(payload);
unprotected = Encoding.UTF8.GetString(unprotectedBytes);
}
catch (Exception e)
{

5
src/Mvc/Mvc.ViewFeatures/src/ServerComponentSerializer.cs
View File

@ -3,6 +3,7 @@
using System;
using System.Collections.Generic;
using System.Text;
using System.Text.Json;
using Microsoft.AspNetCore.Components;
using Microsoft.AspNetCore.DataProtection;
@ -43,7 +44,9 @@ namespace Microsoft.AspNetCore.Mvc.ViewFeatures
invocationId.Value);
var serializedServerComponent = JsonSerializer.Serialize(serverComponent, ServerComponentSerializationSettings.JsonSerializationOptions);
return (serverComponent.Sequence, _dataProtector.Protect(serializedServerComponent, ServerComponentSerializationSettings.DataExpiration));
var serializedServerComponentBytes = JsonSerializer.SerializeToUtf8Bytes(serverComponent, ServerComponentSerializationSettings.JsonSerializationOptions);
var protectedBytes = _dataProtector.Protect(serializedServerComponentBytes, ServerComponentSerializationSettings.DataExpiration);
return (serverComponent.Sequence, Convert.ToBase64String(protectedBytes));
}
internal IEnumerable<string> GetPreamble(ServerComponentMarker record)