Skip to content

Commit a76d65b

Browse files
Merge pull request #12326 from dotnet/main
Merge main into live
2 parents 37b006b + ba94fd6 commit a76d65b

3 files changed

Lines changed: 49 additions & 4 deletions

File tree

xml/System.Net.Http.Headers/HttpHeaders.xml

Lines changed: 41 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -596,7 +596,7 @@ This member is an explicit interface member implementation. It can be used only
596596
<AssemblyVersion>4.2.0.0</AssemblyVersion>
597597
</AssemblyInfo>
598598
<Docs>
599-
<summary>Returns a value that indicates whether a new header and its values were added to the <see cref="T:System.Net.Http.Headers.HttpHeaders" /> collection without validating the provided information.</summary>
599+
<summary>Returns a value that indicates whether a new header and its values were added to the <see cref="T:System.Net.Http.Headers.HttpHeaders" /> collection without validating the header values.</summary>
600600
</Docs>
601601
</MemberGroup>
602602
<Member MemberName="TryAddWithoutValidation">
@@ -649,7 +649,26 @@ This member is an explicit interface member implementation. It can be used only
649649
<summary>Returns a value that indicates whether the specified header and its values were added to the <see cref="T:System.Net.Http.Headers.HttpHeaders" /> collection without validating the provided information.</summary>
650650
<returns>
651651
<see langword="true" /> if the specified header <paramref name="name" /> and <paramref name="values" /> could be added to the collection; otherwise <see langword="false" />.</returns>
652-
<remarks>To be added.</remarks>
652+
<remarks>
653+
<format type="text/markdown"><![CDATA[
654+
655+
## Remarks
656+
657+
This method performs header name validation, returning `false` for invalid names. Header names are enforced to be valid HTTP tokens, where a token is defined as any set of ASCII letters, digits, or symbols from the ``"!#$%&'*+-.^_`|~"`` set, matching [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#name-collected-abnf)'s definition. Non-ASCII characters aren't allowed in a header name.
658+
659+
This method doesn't perform any header value validation. Values added via this method are assumed to be trusted, and other application logic, such as <xref:System.Net.Http.HttpClient>, might misbehave if they're not well formed.
660+
661+
Values added without validation might be observed when enumerating the collection or querying for the specific header name, even when the caller isn't using the <xref:System.Net.Http.Headers.HttpHeaders.NonValidated> view of the collection.
662+
663+
> [!CAUTION]
664+
> This method must never be used with untrusted values, unless they were otherwise sufficiently validated.
665+
>
666+
> What constitutes "sufficient" validation can vary by use case. At a minimum, prohibit newline characters for protocol correctness, for example, `if (value.ContainsAny('\r', '\n', '\0')) throw ...`. This validation should ensure that the server application sees values in the same way as the client application, with the server now being responsible for properly sanitizing its own inputs.
667+
>
668+
> To guard against attacks such as request smuggling, callers are highly encouraged to validate that these values don't contain newline characters.
669+
670+
]]></format>
671+
</remarks>
653672
</Docs>
654673
</Member>
655674
<Member MemberName="TryAddWithoutValidation">
@@ -702,7 +721,26 @@ This member is an explicit interface member implementation. It can be used only
702721
<summary>Returns a value that indicates whether the specified header and its value were added to the <see cref="T:System.Net.Http.Headers.HttpHeaders" /> collection without validating the provided information.</summary>
703722
<returns>
704723
<see langword="true" /> if the specified header <paramref name="name" /> and <paramref name="value" /> could be added to the collection; otherwise <see langword="false" />.</returns>
705-
<remarks>To be added.</remarks>
724+
<remarks>
725+
<format type="text/markdown"><![CDATA[
726+
727+
## Remarks
728+
729+
This method performs header name validation, returning `false` for invalid names. Header names are enforced to be valid HTTP tokens, where a token is defined as any set of ASCII letters, digits, or symbols from the ``"!#$%&'*+-.^_`|~"`` set, matching [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#name-collected-abnf)'s definition. Non-ASCII characters aren't allowed in a header name.
730+
731+
This method doesn't perform any header value validation. Values added via this method are assumed to be trusted, and other application logic, such as <xref:System.Net.Http.HttpClient>, might misbehave if they're not well formed.
732+
733+
Values added without validation might be observed when enumerating the collection or querying for the specific header name, even when the caller isn't using the <xref:System.Net.Http.Headers.HttpHeaders.NonValidated> view of the collection.
734+
735+
> [!CAUTION]
736+
> This method must never be used with untrusted values, unless they were otherwise sufficiently validated.
737+
>
738+
> What constitutes "sufficient" validation can vary by use case. At a minimum, prohibit newline characters for protocol correctness, for example, `if (value.ContainsAny('\r', '\n', '\0')) throw ...`. This validation should ensure that the server application sees values in the same way as the client application, with the server now being responsible for properly sanitizing its own inputs.
739+
>
740+
> To guard against attacks such as request smuggling, callers are highly encouraged to validate that these values don't contain newline characters.
741+
742+
]]></format>
743+
</remarks>
706744
</Docs>
707745
</Member>
708746
<Member MemberName="TryGetValues">

xml/System.Net.Mail/MailAddress.xml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -265,6 +265,8 @@ If `displayName` contains non-ASCII characters, the iso-8859-1 character set is
265265
266266
If `address` contains a display name, and `displayName` is not `null` and is not equal to <xref:System.String.Empty?displayProperty=nameWithType>, `displayName` overrides the value specified in `address`.
267267
268+
The <xref:System.Net.Mail.MailAddress.%23ctor(System.String,System.String)> constructor does not check if the `displayName` parameter is valid. This method removes surrounding quotes not displayed by the <xref:System.Net.Mail.MailAddress.DisplayName> property. Quotes will be added before transmission. <xref:System.Text.Encoding.UTF8> encoding will be applied to the <xref:System.Net.Mail.MailAddress.DisplayName> property before transmission.
269+
268270
## Examples
269271
270272
The following code example uses this constructor to create <xref:System.Net.Mail.MailAddress> instances for the sender and recipient of an email message.

xml/System/TimeZoneInfo.xml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1892,7 +1892,12 @@
18921892
18931893
The `id` parameter must correspond exactly to the time zone's identifier in length, but not in case, for a successful match to occur; that is, the comparison of `id` with time zone identifiers is case-insensitive. If you want to retrieve time zone objects based on partial matches, you can write custom procedures that work with the read-only collection of <xref:System.TimeZoneInfo> objects returned by the <xref:System.TimeZoneInfo.GetSystemTimeZones%2A> method.
18941894
1895-
On Windows systems, `FindSystemTimeZoneById` tries to match `id` to the subkey names of the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Time Zones branch of the registry. On Linux and macOS, it uses time zone information available in the [ICU Library](https://unicode-org.github.io/icu/userguide/datetime/timezone/). If the registry or the library does not have the information for the time zone you desire, you can create a particular time zone either by calling one of the overloads of the <xref:System.TimeZoneInfo.CreateCustomTimeZone%2A> method or by calling <xref:System.TimeZoneInfo.FromSerializedString%2A> to deserialize a <xref:System.TimeZoneInfo> object that represents the required time zone. However, time zones created by these method calls are not system-defined time and cannot be retrieved using the <xref:System.TimeZoneInfo.FindSystemTimeZoneById%2A> method. These custom time zones can be accessed only through the object reference returned by the <xref:System.TimeZoneInfo.CreateCustomTimeZone%2A> or <xref:System.TimeZoneInfo.FromSerializedString%2A> method call.
1895+
On Windows systems, `FindSystemTimeZoneById` tries to match `id` to the subkey names of the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Time Zones branch of the registry.
1896+
Starting with .NET 6, Windows systems also support IANA time zone identifiers (such as "America/Los_Angeles" or "Pacific/Auckland"), providing cross-platform time zone resolution. IANA IDs are supported on Windows only if NLS isn't enabled and globalization invariant mode isn't enabled.
1897+
On Linux and macOS, it uses time zone information available in the [ICU Library](https://unicode-org.github.io/icu/userguide/datetime/timezone/).
1898+
If the registry or the library does not have the information for the time zone you desire, you can create a particular time zone either by calling one of the overloads of the <xref:System.TimeZoneInfo.CreateCustomTimeZone%2A> method or by calling <xref:System.TimeZoneInfo.FromSerializedString%2A> to deserialize a <xref:System.TimeZoneInfo> object that represents the required time zone.
1899+
However, time zones created by these method calls are not system-defined time and cannot be retrieved using the <xref:System.TimeZoneInfo.FindSystemTimeZoneById%2A> method.
1900+
These custom time zones can be accessed only through the object reference returned by the <xref:System.TimeZoneInfo.CreateCustomTimeZone%2A> or <xref:System.TimeZoneInfo.FromSerializedString%2A> method call.
18961901
18971902
In .NET 7 and earlier versions, this method returns a new <xref:System.TimeZoneInfo> instance for each method call. This might impact performance in applications that call the `FindSystemTimeZoneById` method repeatedly with the same identifier. (In .NET 8 and later versions, this method always returns a cached <xref:System.TimeZoneInfo> instance.)
18981903

0 commit comments

Comments
 (0)