Add some validation to UriBuilder.Host setter#121083
Merged
MihaZupan merged 3 commits intodotnet:mainfrom Nov 10, 2025
Merged
Conversation
This was referenced Nov 4, 2025
Open
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR enhances validation of host strings in UriBuilder to prevent malformed host inputs that could escape into other URI components. The changes add early validation to reject hosts containing problematic characters like /, ?, #, and @, while still supporting IPv6 addresses.
- Adds a
SearchValuesset for efficiently detecting problematic characters in host strings - Implements validation logic to reject hosts with characters that could escape into path, query, or fragment components
- Adds comprehensive test coverage for invalid host strings and their rejection behavior
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/libraries/System.Private.Uri/src/System/UriBuilder.cs | Adds s_hostReservedChars SearchValues and implements enhanced host validation logic with special handling for IPv6 addresses |
| src/libraries/System.Private.Uri/tests/FunctionalTests/UriBuilderTests.cs | Removes test cases with malformed IPv6 syntax, adds test for valid IPv6 zone ID, and adds comprehensive test coverage for invalid host strings |
src/libraries/System.Private.Uri/tests/FunctionalTests/UriBuilderTests.cs
Outdated
Show resolved
Hide resolved
This was referenced Nov 5, 2025
rzikm
approved these changes
Nov 6, 2025
a8a3ea7 to
8586ab2
Compare
This was referenced Nov 6, 2025
3 tasks
Member
Author
|
/ba-g Failures are android timeouts |
Contributor
|
Added When you commit this breaking change:
Tagging @dotnet/compat for awareness of the breaking change. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Block inputs for the
UriBuilder.Hostsetter that would "escape" the component.Similar to #74953
This does intentionally break inputs like
.Host = "host/path","::]",user@host...