diff --git a/src/Microsoft.AspNetCore.StaticFiles/StaticFileContext.cs b/src/Microsoft.AspNetCore.StaticFiles/StaticFileContext.cs index 1e48e0e998..86b20e5628 100644 --- a/src/Microsoft.AspNetCore.StaticFiles/StaticFileContext.cs +++ b/src/Microsoft.AspNetCore.StaticFiles/StaticFileContext.cs @@ -15,6 +15,7 @@ using Microsoft.AspNetCore.Http.Headers; using Microsoft.AspNetCore.StaticFiles.Infrastructure; using Microsoft.Extensions.FileProviders; using Microsoft.Extensions.Logging; +using Microsoft.Extensions.Primitives; using Microsoft.Net.Http.Headers; namespace Microsoft.AspNetCore.StaticFiles @@ -228,21 +229,32 @@ namespace Microsoft.AspNetCore.StaticFiles return; } - var rangeHeader = _requestHeaders.Range; - if (rangeHeader == null) + var rawRangeHeader = _request.Headers[HeaderNames.Range]; + if (StringValues.IsNullOrEmpty(rawRangeHeader)) { return; } - if (rangeHeader.Ranges.Count > 1) + // Perf: Check for a single entry before parsing it + if (rawRangeHeader.Count > 1 || rawRangeHeader[0].IndexOf(',') >= 0) { // The spec allows for multiple ranges but we choose not to support them because the client may request // very strange ranges (e.g. each byte separately, overlapping ranges, etc.) that could negatively // impact the server. Ignore the header and serve the response normally. - _logger.LogMultipleFileRanges(rangeHeader.ToString()); + _logger.LogMultipleFileRanges(rawRangeHeader.ToString()); return; } + var rangeHeader = _requestHeaders.Range; + if (rangeHeader == null) + { + // Invalid + return; + } + + // Already verified above + Debug.Assert(rangeHeader.Ranges.Count == 1); + // 14.27 If-Range var ifRangeHeader = _requestHeaders.IfRange; if (ifRangeHeader != null)