This takes PathNormalizer from Kestrel to normalize the request path and prevent traversals. (e.g. "/./" and "/../").
In 2.1 only HttpSys was affected (https://dev.azure.com/dnceng/internal/_git/aspnet-AspNetCore/pullrequest/1480). In 2.2 HttpSys and IIS-in-proc share this code (with additional tests). In 3.0 we'll refactor it to use more shared source across all three servers.
* Update build.cmd to install .NET Core into $repoRoot/.dotnet instead of $repoRoot/.dotnet/x64
* Move restore sources from build/sources.props into eng/Versions.props (following arcade conventions)
* Remove usages of RuntimeFrameworkVersion in tests and build
* Update Blazor VSIX to use Arcade VSIX tools
* Rename Common.Tests to IIS.Common.TestLib and make it a test asset
* Remove custom versions props for ANCM installer code
* Remove duplicate references to xunit and remove usages of IsTestProject
* Remove duplicate references to Internal.AspNetCore.Analyzers
* Import Arcade.Sdk props and targets and remove custom versioning props
* Remove references to Internal.AspNetCore.Sdk
* Rename PackageLicenseType => PackageLicenseExpression
* Remove dependency on tasks in Internal.AspNetCore.Sdk, add ref to Internal.AspNetCore.BuildTasks as a temporary workaround
* Use Arcade's nuspec support
* Rename SignalR.Client.FunctionalTests to SignalR.Client.FunctionalTestApp
* Fixes for changes to property evaluation order
* Update BaseLineGenerator to netcoreapp3.0
* React to changes in evaluation order in RPM files and quirks in using <Exec> instead of <Run>
* Update Microsoft.Extensions.ApiDescription.Server to react to changes in Arcade packaging
* Workaround aspnet/AspNetCore#11009
This takes PathNormalizer from Kestrel to normalize the request path and prevent traversals. (e.g. "/./" and "/../").
In 2.1 only HttpSys was affected. In 2.2 HttpSys and IIS-in-proc will share this code (with additional tests). In 3.0 we'll refactor it to use more shared source across all three servers.
- The current theory is that the tests are experiencing starvation so add more logs to see if if anything in the application is running between the FIN being received on the server side and application code receiving the notification that the pipe was completed.
- Detect OperationAborted to avoid the connection reset log.
Pranav K
Chris Ross (ASP.NET)
Nate McMaster
Mikael Mengistu
John Luo
Arthur Vickers
Kahbazi
Brennan
Artak
Ryan Brandenburg
Isaac Levin
Ben Adams
Isaac Levin
Chris Ross
Daniel Roth
Jacques Eloff
David Fowler
Javier Calvarro Nelson
Andrew Stanton-Nurse
dotnet-maestro-bot