Merged PR 21240: [6.0] MSRC 70023 - ASP.Net FormFeature.cs - DenialOfService

# ASP.Net FormFeature.cs - DenialOfService When parsing multi-part form data with FormFeature.cs, we do not honor ValueCountLimit when the content disposition is of an unknown type. Therefore an attacker could send multi-part form data where very part has invalid content disposition, and make us read indefinitely. ## Description When parsing multi-part form data with FormFeature.cs, we do not honor ValueCountLimit when the content disposition is of an unknown type. Therefore an attacker could send multi-part form data where very part has invalid content disposition, and make us read indefinitely. ## Customer Impact Prevents a potential Denial-of-service attack. ## Regression? - [ ] Yes - [x] No ## Risk - [ ] High - [x] Medium - [ ] Low We could have missed another potential version of this vulnerability ## Verification - [x] Manual (required) - [x] Automated Added a test, plus confirmed with a local repro that the pre-existing slowdown goes away after the change. ## Packaging changes reviewed? - [ ] Yes - [ ] No - [x] N/A ---- ## When servicing release/2.1 - [ ] Make necessary changes in eng/PatchConfig.props

Merged PR 21240: [6.0] MSRC 70023 - ASP.Net FormFeature.cs - DenialOfService
108c2218 · Will Godbe · 1e1c8913 · 108c2218 · 108c2218
--- a/src/Http/Http/src/Features/FormFeature.cs
+++ b/src/Http/Http/src/Features/FormFeature.cs
@@ -184,6 +184,7 @@ namespace Microsoft.AspNetCore.Http.Features
                else if (HasMultipartFormContentType(contentType))
                {
                    var formAccumulator = new KeyValueAccumulator();
+                    var nonFormOrFileContentDispositionCount = 0;
                    var boundary = GetBoundary(contentType, _options.MultipartBoundaryLengthLimit);
                    var multipartReader = new MultipartReader(boundary, _request.Body)
@@ -259,7 +260,11 @@ namespace Microsoft.AspNetCore.Http.Features
                        }
                        else
                        {
-                            System.Diagnostics.Debug.Assert(false, "Unrecognized content-disposition for this section: " + section.ContentDisposition);
+                            if (nonFormOrFileContentDispositionCount++ >= _options.ValueCountLimit)
+                            {
+                                throw new InvalidDataException($"Unrecognized Content-Disposition. Form value count limit {_options.ValueCountLimit} exceeded.");
+                            }
                        }
                        section = await multipartReader.ReadNextSectionAsync(cancellationToken);

--- a/src/Http/Http/test/Features/FormFeatureTests.cs
+++ b/src/Http/Http/test/Features/FormFeatureTests.cs
@@ -165,6 +165,12 @@ namespace Microsoft.AspNetCore.Http.Features
 InvalidContentDispositionValue +
 "\r\n" +
 "\r\n" +
+"Foo\r\n";
+        private const string MultipartFormFileNonFormOrFileContentDispositionValue = "--WebKitFormBoundary5pDRpGheQXaM8k3T\r\n" +
+"Content-Disposition:x" +
+"\r\n" +
+"\r\n" +
 "Foo\r\n";
        private const string MultipartFormWithField =
@@ -468,6 +474,30 @@ InvalidContentDispositionValue +
            Assert.Equal("Form value count limit 2 exceeded.", exception.Message);
        }
+        [Theory]
+        [InlineData(true)]
+        [InlineData(false)]
+        public async Task ReadFormAsync_NonFormOrFieldContentDisposition_ValueCountLimitExceeded_Throw(bool bufferRequest)
+        {
+            var formContent = new List<byte>();
+            formContent.AddRange(Encoding.UTF8.GetBytes(MultipartFormFileNonFormOrFileContentDispositionValue));
+            formContent.AddRange(Encoding.UTF8.GetBytes(MultipartFormFileNonFormOrFileContentDispositionValue));
+            formContent.AddRange(Encoding.UTF8.GetBytes(MultipartFormFileNonFormOrFileContentDispositionValue));
+            formContent.AddRange(Encoding.UTF8.GetBytes(MultipartFormEnd));
+            var context = new DefaultHttpContext();
+            var responseFeature = new FakeResponseFeature();
+            context.Features.Set<IHttpResponseFeature>(responseFeature);
+            context.Request.ContentType = MultipartContentType;
+            context.Request.Body = new NonSeekableReadStream(formContent.ToArray());
+            IFormFeature formFeature = new FormFeature(context.Request, new FormOptions() { BufferBody = bufferRequest, ValueCountLimit = 2 });
+            context.Features.Set<IFormFeature>(formFeature);
+            var exception = await Assert.ThrowsAsync<InvalidDataException>(() => context.Request.ReadFormAsync());
+            Assert.Equal("Unrecognized Content-Disposition. Form value count limit 2 exceeded.", exception.Message);
+        }
        [Theory]
        [InlineData(true)]
        [InlineData(false)]