From c94b2dd061870567e45fa18a721a208baa61dc78 Mon Sep 17 00:00:00 2001 From: Javier Calvarro Nelson Date: Mon, 28 Oct 2019 10:59:43 +0100 Subject: [PATCH] [Blazor][Fixes #15399]The Blazor descriptor can contain two consecutive dashes (#15412) * We Base64 encode the descriptor instead of Base64Url encode it as data protection does with its string overload. * It uses "+/" instead of "-_", both of which are safe inside HTML comments. * The descriptors are not sent in any url, nor are present inside headers or similar, so Base64 encoding them is fine. --- .../Server/src/Circuits/ServerComponentDeserializer.cs | 5 ++++- src/Mvc/Mvc.ViewFeatures/src/ServerComponentSerializer.cs | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/Components/Server/src/Circuits/ServerComponentDeserializer.cs b/src/Components/Server/src/Circuits/ServerComponentDeserializer.cs index 039ae1ad8f..a8ff087396 100644 --- a/src/Components/Server/src/Circuits/ServerComponentDeserializer.cs +++ b/src/Components/Server/src/Circuits/ServerComponentDeserializer.cs @@ -3,6 +3,7 @@ using System; using System.Collections.Generic; +using System.Text; using System.Text.Json; using Microsoft.AspNetCore.DataProtection; using Microsoft.Extensions.Logging; @@ -153,7 +154,9 @@ namespace Microsoft.AspNetCore.Components.Server string unprotected; try { - unprotected = _dataProtector.Unprotect(record.Descriptor); + var payload = Convert.FromBase64String(record.Descriptor); + var unprotectedBytes = _dataProtector.Unprotect(payload); + unprotected = Encoding.UTF8.GetString(unprotectedBytes); } catch (Exception e) { diff --git a/src/Mvc/Mvc.ViewFeatures/src/ServerComponentSerializer.cs b/src/Mvc/Mvc.ViewFeatures/src/ServerComponentSerializer.cs index d5c3a3c270..a854be20fe 100644 --- a/src/Mvc/Mvc.ViewFeatures/src/ServerComponentSerializer.cs +++ b/src/Mvc/Mvc.ViewFeatures/src/ServerComponentSerializer.cs @@ -3,6 +3,7 @@ using System; using System.Collections.Generic; +using System.Text; using System.Text.Json; using Microsoft.AspNetCore.Components; using Microsoft.AspNetCore.DataProtection; @@ -43,7 +44,9 @@ namespace Microsoft.AspNetCore.Mvc.ViewFeatures invocationId.Value); var serializedServerComponent = JsonSerializer.Serialize(serverComponent, ServerComponentSerializationSettings.JsonSerializationOptions); - return (serverComponent.Sequence, _dataProtector.Protect(serializedServerComponent, ServerComponentSerializationSettings.DataExpiration)); + var serializedServerComponentBytes = JsonSerializer.SerializeToUtf8Bytes(serverComponent, ServerComponentSerializationSettings.JsonSerializationOptions); + var protectedBytes = _dataProtector.Protect(serializedServerComponentBytes, ServerComponentSerializationSettings.DataExpiration); + return (serverComponent.Sequence, Convert.ToBase64String(protectedBytes)); } internal IEnumerable GetPreamble(ServerComponentMarker record)