CSRF token parsing gives status code 500 #34370
Description
Describe the bug
there is a bug in CSRF token parsing inside the framework if you give invalid value to CSRF field or cookie then server returns exception with status code 500.
it should return status code 400
To Reproduce
Change the value of CSRF to \%0a<%00>%bf%27
Exceptions (if any)
Microsoft.AspNetCore.Internal.UrlDecoder.DecodeCore(ref int sourceIndex, ref int destinationIndex, Span<byte> buffer, bool isFormEncoding)
Stack Query Cookies Headers Routing
InvalidOperationException: The path contains null characters.
Microsoft.AspNetCore.Internal.UrlDecoder.DecodeCore(ref int sourceIndex, ref int destinationIndex, Span<byte> buffer, bool isFormEncoding)
Microsoft.AspNetCore.Internal.UrlDecoder.DecodeInPlace(Span<byte> buffer, bool isFormEncoding)
Microsoft.AspNetCore.WebUtilities.FormPipeReader.GetDecodedString(ReadOnlySpan<byte> readOnlySpan)
Microsoft.AspNetCore.WebUtilities.FormPipeReader.ParseFormValuesFast(ReadOnlySpan<byte> span, ref KeyValueAccumulator accumulator, bool isFinalBlock, out int consumed)
Microsoft.AspNetCore.WebUtilities.FormPipeReader.ParseFormValues(ref ReadOnlySequence<byte> buffer, ref KeyValueAccumulator accumulator, bool isFinalBlock)
Microsoft.AspNetCore.WebUtilities.FormPipeReader.ReadFormAsync(CancellationToken cancellationToken)
Microsoft.AspNetCore.Http.Features.FormFeature.InnerReadFormAsync(CancellationToken cancellationToken)
Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenStore.GetRequestTokensAsync(HttpContext httpContext)
Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateRequestAsync(HttpContext httpContext)
Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.ValidateAntiforgeryTokenAuthorizationFilter.OnAuthorizationAsync(AuthorizationFilterContext context)
Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|19_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, object state, bool isCompleted)
Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)
Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
System.InvalidOperationException: The path contains null characters.
at Microsoft.AspNetCore.Internal.UrlDecoder.DecodeCore(Int32& sourceIndex, Int32& destinationIndex, Span`1 buffer, Boolean isFormEncoding)
at Microsoft.AspNetCore.Internal.UrlDecoder.DecodeInPlace(Span`1 buffer, Boolean isFormEncoding)
at Microsoft.AspNetCore.WebUtilities.FormPipeReader.GetDecodedString(ReadOnlySpan`1 readOnlySpan)
at Microsoft.AspNetCore.WebUtilities.FormPipeReader.ParseFormValuesFast(ReadOnlySpan`1 span, KeyValueAccumulator& accumulator, Boolean isFinalBlock, Int32& consumed)
at Microsoft.AspNetCore.WebUtilities.FormPipeReader.ParseFormValues(ReadOnlySequence`1& buffer, KeyValueAccumulator& accumulator, Boolean isFinalBlock)
at Microsoft.AspNetCore.WebUtilities.FormPipeReader.ReadFormAsync(CancellationToken cancellationToken)
at Microsoft.AspNetCore.Http.Features.FormFeature.InnerReadFormAsync(CancellationToken cancellationToken)
at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenStore.GetRequestTokensAsync(HttpContext httpContext)
at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateRequestAsync(HttpContext httpContext)
at Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.ValidateAntiforgeryTokenAuthorizationFilter.OnAuthorizationAsync(AuthorizationFilterContext context)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|19_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)
at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
Further technical details
ASP.NET Core 3.1.16- Include the output of dotnet --info
- .NET Core SDK (reflecting any global.json):
Version: 3.1.410
Commit: db62c6bbbb
Runtime Environment:
OS Name: ubuntu
OS Version: 20.04
OS Platform: Linux
RID: ubuntu.20.04-x64
Base Path: /usr/share/dotnet/sdk/3.1.410/
Host (useful for support):
Version: 3.1.16
Commit: 4c6b4aa257
.NET Core SDKs installed:
2.1.816 [/usr/share/dotnet/sdk]
3.1.410 [/usr/share/dotnet/sdk]
.NET Core runtimes installed:
Microsoft.AspNetCore.All 2.1.28 [/usr/share/dotnet/shared/Microsoft.AspNetCore.All]
Microsoft.AspNetCore.App 2.1.28 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 3.1.16 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 2.1.28 [/usr/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 3.1.16 [/usr/share/dotnet/shared/Microsoft.NETCore.App]
To install additional .NET Core runtimes or SDKs:
https://aka.ms/dotnet-download