|
//------------------------------------------------------------------------------
// <copyright file="AppSettings.cs" company="Microsoft">
// Copyright (c) Microsoft Corporation. All rights reserved.
// </copyright>
//------------------------------------------------------------------------------
// AppSettings.cs
//
using System;
using System.Collections.Specialized;
using System.Configuration;
using System.Diagnostics.CodeAnalysis;
using System.Security.Permissions;
using System.Web.Configuration;
using System.Web.Hosting;
namespace System.Web.Util {
internal static class AppSettings
{
private static volatile bool _settingsInitialized = false;
private static object _appSettingsLock = new object();
private static void EnsureSettingsLoaded() {
if (!_settingsInitialized) {
lock (_appSettingsLock) {
if (!_settingsInitialized) {
NameValueCollection settings = null;
try {
settings = GetAppSettingsSection();
} finally {
// GetApplicationPathData may throw. That's fine. Let the user see the exception
// once, but just fall back on default settings for the future.
if (settings == null || !Boolean.TryParse(settings["aspnet:UseHostHeaderForRequestUrl"], out _useHostHeaderForRequestUrl))
_useHostHeaderForRequestUrl = false;
if (settings == null || !Boolean.TryParse(settings["aspnet:AllowAnonymousImpersonation"], out _allowAnonymousImpersonation))
_allowAnonymousImpersonation = false;
if (settings == null || !Boolean.TryParse(settings["aspnet:ScriptResourceAllowNonJsFiles"], out _scriptResourceAllowNonJsFiles))
_scriptResourceAllowNonJsFiles = false;
if (settings == null || !Boolean.TryParse(settings["aspnet:UseLegacyEncryption"], out _useLegacyEncryption))
_useLegacyEncryption = false;
if (settings == null || !Boolean.TryParse(settings["aspnet:UseLegacyMachineKeyEncryption"], out _useLegacyMachineKeyEncryption))
_useLegacyMachineKeyEncryption = false;
if (settings == null || !Boolean.TryParse(settings["aspnet:UseLegacyFormsAuthenticationTicketCompatibility"], out _useLegacyFormsAuthenticationTicketCompatibility))
_useLegacyFormsAuthenticationTicketCompatibility = false;
if (settings == null || !Boolean.TryParse(settings["aspnet:UseLegacyEventValidationCompatibility"], out _useLegacyEventValidationCompatibility))
_useLegacyEventValidationCompatibility = false;
_allowInsecureDeserialization = GetNullableBooleanValue(settings, "aspnet:AllowInsecureDeserialization");
if (settings == null || !Boolean.TryParse(settings["aspnet:AlwaysIgnoreViewStateValidationErrors"], out _alwaysIgnoreViewStateValidationErrors))
_alwaysIgnoreViewStateValidationErrors = false;
if (settings == null || !Boolean.TryParse(settings["aspnet:AllowRelaxedHttpUserName"], out _allowRelaxedHttpUserName))
_allowRelaxedHttpUserName = false;
if (settings == null || !Boolean.TryParse(settings["aspnet:JavaScriptDoNotEncodeAmpersand"], out _javaScriptDoNotEncodeAmpersand))
_javaScriptDoNotEncodeAmpersand = false;
if (settings == null || !Boolean.TryParse(settings["aspnet:UseTaskFriendlySynchronizationContext"], out _useTaskFriendlySynchronizationContext))
_useTaskFriendlySynchronizationContext = (BinaryCompatibility.Current.TargetsAtLeastFramework45) ? true : false;
if (settings == null || !Boolean.TryParse(settings["aspnet:AllowAsyncDuringSyncStages"], out _allowAsyncDuringSyncStages))
_allowAsyncDuringSyncStages = false;
if (settings == null || !int.TryParse(settings["aspnet:MaxHttpCollectionKeys"], out _maxHttpCollectionKeys) || _maxHttpCollectionKeys < 0)
_maxHttpCollectionKeys = DefaultMaxHttpCollectionKeys;
if (settings == null || !int.TryParse(settings["aspnet:MaxJsonDeserializerMembers"], out _maxJsonDeserializerMembers) || _maxJsonDeserializerMembers < 0)
_maxJsonDeserializerMembers = DefaultMaxJsonDeserializerMembers;
if (settings == null || !Boolean.TryParse(settings["aspnet:DoNotDisposeSpecialHttpApplicationInstances"], out _doNotDisposeSpecialHttpApplicationInstances))
_doNotDisposeSpecialHttpApplicationInstances = false;
if (settings != null)
_formsAuthReturnUrlVar = settings["aspnet:FormsAuthReturnUrlVar"];
if (settings == null || !Boolean.TryParse(settings["aspnet:RestrictXmlControls"], out _restrictXmlControls))
_restrictXmlControls = false;
if (settings == null || !Boolean.TryParse(settings["aspnet:AllowRelaxedRelativeUrl"], out _allowRelaxedRelativeUrl))
_allowRelaxedRelativeUrl = false;
if (settings == null || !Boolean.TryParse(settings["aspnet:UseLegacyRequestUrlGeneration"], out _useLegacyRequestUrlGeneration))
_useLegacyRequestUrlGeneration = false;
if (settings == null || !Boolean.TryParse(settings["aspnet:AllowUtf7RequestContentEncoding"], out _allowUtf7RequestContentEncoding))
_allowUtf7RequestContentEncoding = false;
if (settings == null || !Boolean.TryParse(settings["aspnet:AllowRelaxedUnicodeDecoding"], out _allowRelaxedUnicodeDecoding))
_allowRelaxedUnicodeDecoding = false;
if (settings == null || !Boolean.TryParse(settings["aspnet:DontUsePercentUUrlEncoding"], out _dontUsePercentUUrlEncoding))
_dontUsePercentUUrlEncoding = BinaryCompatibility.Current.TargetsAtLeastFramework452; // default value is keyed off of <httpRuntime targetFramework="4.5.2" />
if (settings == null || !int.TryParse(settings["aspnet:UpdatePanelMaxScriptLength"], out _updatePanelMaxScriptLength) || _updatePanelMaxScriptLength < 0)
_updatePanelMaxScriptLength = 0;
// AppSettings override allows users to build against 4.5 but run against 4.0 or 4.5
_maxConcurrentCompilations = GetNullableIntegerValue(settings, "aspnet:MaxConcurrentCompilations");
if (settings == null || !int.TryParse(settings["aspnet:MaxAcceptLanguageFallbackCount"], out _maxAcceptLanguageFallbackCount) || _maxAcceptLanguageFallbackCount <= 0)
_maxAcceptLanguageFallbackCount = DefaultMaxAcceptLanguageFallbackCount;
if (settings == null || !Boolean.TryParse(settings["aspnet:PortableCompilationOutput"], out _portableCompilationOutput))
_portableCompilationOutput = false;
if (settings == null || string.IsNullOrWhiteSpace(_portableCompilationOutputSnapshotType = settings["aspnet:PortableCompilationOutputSnapshotType"]))
_portableCompilationOutputSnapshotType = null;
if (settings == null || string.IsNullOrWhiteSpace(_portableCompilationOutputSnapshotTypeOptions = settings["aspnet:PortableCompilationOutputSnapshotTypeOptions"]))
_portableCompilationOutputSnapshotTypeOptions = null;
if (settings == null || !Boolean.TryParse(settings["aspnet:EnsureSessionStateLockedOnFlush"], out _ensureSessionStateLockedOnFlush))
_ensureSessionStateLockedOnFlush = false;
if (settings == null || !Boolean.TryParse(settings["aspnet:UseRandomizedStringHashAlgorithm"], out _useRandomizedStringHashAlgorithm))
_useRandomizedStringHashAlgorithm = false;
if (settings == null || !Boolean.TryParse(settings["aspnet:EnableAsyncModelBinding"], out _enableAsyncModelBinding))
_enableAsyncModelBinding = BinaryCompatibility.Current.TargetsAtLeastFramework46;
if (settings == null || !int.TryParse(settings["aspnet:RequestQueueLimitPerSession"], out _requestQueueLimitPerSession) || _requestQueueLimitPerSession < 0)
_requestQueueLimitPerSession = BinaryCompatibility.Current.TargetsAtLeastFramework463 ? DefaultRequestQueueLimitPerSession : UnlimitedRequestsPerSession;
if (settings == null || !Boolean.TryParse(settings["aspnet:LogMembershipPasswordFormatWarning"], out _logMembershipPasswordFormatWarning))
_logMembershipPasswordFormatWarning = true;
if (settings == null || !Boolean.TryParse(settings["aspnet:AvoidDuplicatedSetCookie"], out _avoidDuplicatedSetCookie))
_avoidDuplicatedSetCookie = false;
if (settings == null || !Boolean.TryParse(settings["aspnet:GetValidationMemberName"], out _getValidationMemberName))
_getValidationMemberName = false;
if (settings == null || !Boolean.TryParse(settings["aspnet:UseLegacyClientServicesJsonHandling"], out _useLegacyClientServicesJsonHandling))
_useLegacyClientServicesJsonHandling = false;
if (settings == null || !Boolean.TryParse(settings["aspnet:UseLegacyMultiValueHeaderHandling"], out _useLegacyMultiValueHeaderHandling))
_useLegacyMultiValueHeaderHandling = !BinaryCompatibility.Current.TargetsAtLeastFramework48; // Opt in for 4.7.2 and earlier. Opt out for 4.8.
if (settings == null || !Boolean.TryParse(settings["aspnet:SuppressSameSiteNone"], out _suppressSameSiteNone))
_suppressSameSiteNone = false; // Use the new stricter behavior by default, as the old behavior is likely to cause problems with newer browsers.
_settingsInitialized = true;
}
}
}
}
}
[ConfigurationPermission(SecurityAction.Assert, Unrestricted = true)]
[SuppressMessage("Microsoft.Security", "CA2106:SecureAsserts", Justification = "This assert is safe since we control the callers; they're not leaking information.")]
private static NameValueCollection GetAppSettingsSection() {
// DevDiv #353926 - Fall back to reading App.config if System.Web types are being consumed outside an ASP.NET application
if (!HostingEnvironment.IsHosted) {
return ConfigurationManager.AppSettings;
}
// Check the app-level config. Ignore configuration errors
CachedPathData appPathData = CachedPathData.GetApplicationPathData();
if (appPathData != null && appPathData.ConfigRecord != null)
return appPathData.ConfigRecord.GetSection("appSettings") as NameValueCollection;
// nothing found
return null;
}
// helper function to read a tri-state boolean from config
private static bool? GetNullableBooleanValue(NameValueCollection settings, string key) {
bool value;
return (settings != null && Boolean.TryParse(settings[key], out value)) ? value : (bool?)null;
}
// helper function to read a nullable int from config
private static int? GetNullableIntegerValue(NameValueCollection settings, string key) {
int value;
return (settings != null && int.TryParse(settings[key], out value)) ? value : (int?)null;
}
private static bool _useHostHeaderForRequestUrl;
internal static bool UseHostHeaderForRequestUrl {
get {
EnsureSettingsLoaded();
return _useHostHeaderForRequestUrl;
}
}
private static bool _allowAnonymousImpersonation;
internal static bool AllowAnonymousImpersonation {
get {
EnsureSettingsLoaded();
return _allowAnonymousImpersonation;
}
}
// false [default] to allow ScriptResource.axd to serve static files only if they are *.js;
// true to allow ScriptResource.axd to serve any static file (bad practice)
private static bool _scriptResourceAllowNonJsFiles;
internal static bool ScriptResourceAllowNonJsFiles {
get {
EnsureSettingsLoaded();
return _scriptResourceAllowNonJsFiles;
}
}
// false [default] to use encrypt+sign for all except Membership and MachineKey public API
// true to use encrypt only (dangerous!)
private static bool _useLegacyEncryption;
internal static bool UseLegacyEncryption {
get {
EnsureSettingsLoaded();
return _useLegacyEncryption;
}
}
// false [default] to use encrypt+sign for MachineKey public API
// true to use encrypt only for MachineKey public API (dangerous!)
private static bool _useLegacyMachineKeyEncryption;
internal static bool UseLegacyMachineKeyEncryption {
get {
EnsureSettingsLoaded();
return _useLegacyMachineKeyEncryption;
}
}
// false [default] to use secure semantics when generating FormsAuthentication tickets
// true to allow ticketCompatibilityMode="Framework20" (dangerous!)
private static bool _useLegacyFormsAuthenticationTicketCompatibility;
internal static bool UseLegacyFormsAuthenticationTicketCompatibility {
get {
EnsureSettingsLoaded();
return _useLegacyFormsAuthenticationTicketCompatibility;
}
}
// false [default] to use a cryptographic hash algorithm when generating the __EVENTVALIDATION field
// true to use String.GetHashCode() instead (dangerous!)
// more info: DevDiv #233564 (http://vstfdevdiv:8080/DevDiv2/web/wi.aspx?id=233564)
private static bool _useLegacyEventValidationCompatibility;
internal static bool UseLegacyEventValidationCompatibility {
get {
EnsureSettingsLoaded();
return _useLegacyEventValidationCompatibility;
}
}
// false to always enforce EnableViewStateMac=false
// true to allow the developer to specify EnableViewStateMac=false (dangerous, leads to RCE!)
// null [default] to make the decision based on a registry key
// more info: DevDiv #461378 (http://vstfdevdiv:8080/DevDiv2/DevDiv/_workitems/edit/461378)
private static bool? _allowInsecureDeserialization;
internal static bool? AllowInsecureDeserialization {
get {
EnsureSettingsLoaded();
return _allowInsecureDeserialization;
}
}
// false [default] to use the default heuristic for determining when to suppress __VIEWSTATE MAC validation errors and when to display a YSOD
// true to always ---- errors and never show a YSOD
private static bool _alwaysIgnoreViewStateValidationErrors;
internal static bool AlwaysIgnoreViewStateValidationErrors {
get {
EnsureSettingsLoaded();
return _alwaysIgnoreViewStateValidationErrors;
}
}
// false [default] to restrict dangerous characters in any user name passed to native code
// true to allow dangerous characters
private static bool _allowRelaxedHttpUserName;
internal static bool AllowRelaxedHttpUserName {
get {
EnsureSettingsLoaded();
return _allowRelaxedHttpUserName;
}
}
// false [default] to encode '&' characters in HttpUtility.JavaScriptStringEncode()
// true to not encode '&' characters (bad practice)
private static bool _javaScriptDoNotEncodeAmpersand;
internal static bool JavaScriptDoNotEncodeAmpersand {
get {
EnsureSettingsLoaded();
return _javaScriptDoNotEncodeAmpersand;
}
}
// false [default] to use the updated AspNetSynchronizationContext type (needed for TAP methods)
// true to use LegacyAspNetSynchronizationContext (needed for some back-compat scenarios)
private static bool _useTaskFriendlySynchronizationContext ;
internal static bool UseTaskFriendlySynchronizationContext {
get {
EnsureSettingsLoaded();
return _useTaskFriendlySynchronizationContext ;
}
}
// false [default] if the updated AspNetSynchronizationContext type should throw when it encounters invalid operations
// true to allow some invalid operations through the system (needed for some back-compat scenarios)
// more info: see doc on HttpContext.AllowAsyncDuringSyncStages
private static bool _allowAsyncDuringSyncStages;
internal static bool AllowAsyncDuringSyncStages {
get {
EnsureSettingsLoaded();
return _allowAsyncDuringSyncStages;
}
}
// maximum number of keys a HttpValueCollection, HttpFileCollection or HttpCookieCollection is allowed to have
private const int DefaultMaxHttpCollectionKeys = Int32.MaxValue;
private static int _maxHttpCollectionKeys = DefaultMaxHttpCollectionKeys;
internal static int MaxHttpCollectionKeys {
get {
EnsureSettingsLoaded();
return _maxHttpCollectionKeys;
}
}
// maximum number of entries a Json deserialized dictionary is allowed to have
private const int DefaultMaxJsonDeserializerMembers = Int32.MaxValue;
private static int _maxJsonDeserializerMembers = DefaultMaxJsonDeserializerMembers;
internal static int MaxJsonDeserializerMembers {
get {
EnsureSettingsLoaded();
return _maxJsonDeserializerMembers;
}
}
// false [default] to call HttpApplication.Dispose() on all HttpApplication instances instantiated by ASP.NET
// true to suppress calling HttpApplication.Dispose() on "special" (i.e., associated with App_Start, App_End, etc.) HttpApplication instances
// see DevDiv #109006 (http://vstfdevdiv:8080/DevDiv2/web/wi.aspx?id=109006): HttpModules attached to the "Special" HttpApplication instance are not disposed
private static bool _doNotDisposeSpecialHttpApplicationInstances;
internal static bool DoNotDisposeSpecialHttpApplicationInstances {
get {
EnsureSettingsLoaded();
return _doNotDisposeSpecialHttpApplicationInstances;
}
}
// none [default] to use the existing /loging.aspx?ReturnUrl=
// <FormsAuthReturnUrlVar> to use /loging.aspx?<FormsAuthReturnUrlVar>=
private static string _formsAuthReturnUrlVar;
internal static string FormsAuthReturnUrlVar {
get {
EnsureSettingsLoaded();
return _formsAuthReturnUrlVar;
}
}
// false [default] to use potentially unsafe System.Xml API's that were in use for 1.0 through 4.0
// true to avoid using vulnerable System.Xml API's.
private static bool _restrictXmlControls;
internal static bool RestrictXmlControls {
get {
EnsureSettingsLoaded();
return _restrictXmlControls;
}
}
// false [default] - requires relative url to be more strict
// true - use less strict policy
private static bool _allowRelaxedRelativeUrl;
internal static bool AllowRelaxedRelativeUrl {
get {
EnsureSettingsLoaded();
return _allowRelaxedRelativeUrl;
}
}
// false [default] - attempts to re-encode HttpRequest.Url so that it is equivalent to the actual incoming URL
// true - does not attempt to re-encode the Url, which could allow the Uri class to perform double-decoding (dangerous!)
// See also DevDiv #703232 (http://vstfdevdiv:8080/DevDiv2/DevDiv/_workitems/edit/703232)
private static bool _useLegacyRequestUrlGeneration;
internal static bool UseLegacyRequestUrlGeneration {
get {
EnsureSettingsLoaded();
return _useLegacyRequestUrlGeneration;
}
}
// false [default] - disallow UTF-7 as an incoming ContentEncoding
// true - allow UTF-7 as an incoming ContentEncoding (dangerous!)
private static bool _allowUtf7RequestContentEncoding;
internal static bool AllowUtf7RequestContentEncoding {
get {
EnsureSettingsLoaded();
return _allowUtf7RequestContentEncoding;
}
}
// false [default] - disallow invalid UTF-16 (like unpaired surrogates) when deserializing JSON strings and inside UrlDecode
// true - allow malformed strings like "\ud800" and "%ud800" to be deserialized (dangerous!)
private static bool _allowRelaxedUnicodeDecoding;
internal static bool AllowRelaxedUnicodeDecoding {
get {
EnsureSettingsLoaded();
return _allowRelaxedUnicodeDecoding;
}
}
// false - use UrlEncodeUnicode for some URL generation within ASP.NET, which can produce non-compliant results
// true - use UTF8 encoding for things like <form action>, which works with modern browsers
// defaults to true when targeting >= 4.5.2, otherwise false
// See DevDiv #762975 for more information.
private static bool _dontUsePercentUUrlEncoding;
internal static bool DontUsePercentUUrlEncoding {
get {
EnsureSettingsLoaded();
return _dontUsePercentUUrlEncoding;
}
}
// maximum length for UpdatePanel script block
private static int _updatePanelMaxScriptLength;
internal static int UpdatePanelMaxScriptLength {
get {
EnsureSettingsLoaded();
return _updatePanelMaxScriptLength;
}
}
// maximum number of concurrent compilations
private static int? _maxConcurrentCompilations;
internal static int? MaxConcurrentCompilations {
get {
EnsureSettingsLoaded();
return _maxConcurrentCompilations;
}
}
// Controls how deep we look when trying to get a CultureInfo from an Accept-Language header.
// For example, a value of 3 with Accept-Language: en-us, en, fr-FR, zh-CN will cause us to
// look for "en-us", "en", and "fr-FR" in order, taking the first hit, but we won't look
// for "zh-CN" if the first three fail. Setting this value too high could result in DoS.
private const int DefaultMaxAcceptLanguageFallbackCount = 3;
private static int _maxAcceptLanguageFallbackCount;
internal static int MaxAcceptLanguageFallbackCount {
get {
EnsureSettingsLoaded();
return _maxAcceptLanguageFallbackCount;
}
}
// false [default]
// true to allow
private static bool _portableCompilationOutput;
internal static bool PortableCompilationOutput {
get {
EnsureSettingsLoaded();
return _portableCompilationOutput;
}
}
// null [default]
// complete type name as string
private static string _portableCompilationOutputSnapshotType;
internal static string PortableCompilationOutputSnapshotType {
get {
EnsureSettingsLoaded();
return _portableCompilationOutputSnapshotType;
}
}
// null [default]
// options
private static string _portableCompilationOutputSnapshotTypeOptions;
internal static string PortableCompilationOutputSnapshotTypeOptions {
get {
EnsureSettingsLoaded();
return _portableCompilationOutputSnapshotTypeOptions;
}
}
// false [default] - allow delayed store of session state item (possibly concurrent access on new session)
// true - ensure the session state item is stored before another request is allowed to proceed with the same session
private static bool _ensureSessionStateLockedOnFlush;
internal static bool EnsureSessionStateLockedOnFlush {
get {
EnsureSettingsLoaded();
return _ensureSessionStateLockedOnFlush;
}
}
// false [default] - don't force randomized hash code algorithm. Exisiting behavior
// true - use randomized hash code algorithm
private static bool _useRandomizedStringHashAlgorithm;
internal static bool UseRandomizedStringHashAlgorithm {
get {
EnsureSettingsLoaded();
return _useRandomizedStringHashAlgorithm;
}
}
// false - disable async model binding
// true - enable async model binding
// defaults to true when targeting >= 4.6, otherwise false
private static bool _enableAsyncModelBinding;
internal static bool EnableAsyncModelBinding {
get {
EnsureSettingsLoaded();
return _enableAsyncModelBinding;
}
}
internal const int UnlimitedRequestsPerSession = Int32.MaxValue;
internal const int DefaultRequestQueueLimitPerSession = 50;
// Limit of queued requests per session
private static int _requestQueueLimitPerSession;
internal static int RequestQueueLimitPerSession {
get {
EnsureSettingsLoaded();
return _requestQueueLimitPerSession;
}
}
// true [default] to log warning if password format is not secure
// false -- Not to log warning if password format is not secure
private static bool _logMembershipPasswordFormatWarning;
internal static bool LogMembershipPasswordFormatWarning {
get {
EnsureSettingsLoaded();
return _logMembershipPasswordFormatWarning;
}
}
// false [default]
// true - adopt new behavior to fix duplicated cookie issue.
private static bool _avoidDuplicatedSetCookie;
internal static bool AvoidDuplicatedSetCookie {
get {
EnsureSettingsLoaded();
return _avoidDuplicatedSetCookie;
}
}
// false [Default]
// true - new behavior to retrive MemberName
private static bool _getValidationMemberName;
internal static bool GetValidationMemberName
{
get
{
EnsureSettingsLoaded();
return _getValidationMemberName;
}
}
// false [default]
// true - adopt new behavior to avoid trusting json from compromised client web services.
private static bool _useLegacyClientServicesJsonHandling;
internal static bool UseLegacyClientServicesJsonHandling {
get
{
EnsureSettingsLoaded();
return _useLegacyClientServicesJsonHandling;
}
}
// false [default]
// true - adopt new behavior to avoid trusting json from compromised client web services.
private static bool _useLegacyMultiValueHeaderHandling;
internal static bool UseLegacyMultiValueHeaderHandling
{
get
{
EnsureSettingsLoaded();
return _useLegacyMultiValueHeaderHandling;
}
}
// false [default] - Emit SameSite cookie header for all valid valudes, even if value is 'None'.
// true - Don't emit the SameSite cookie header if the value is 'None'.
private static bool _suppressSameSiteNone;
internal static bool SuppressSameSiteNone
{
get
{
EnsureSettingsLoaded();
return _suppressSameSiteNone;
}
}
}
}
|