Merged PR 158405: [2.1 Servicing] MSRC 47421: Disallow dangerous Unicode decompositions in System.Uri

This change blocks any Unicode decompositions that change the semantics of a URI. See the comments included in the change for more details.

Unlike the netfx implementation of this change, there is no mechanism for users to disable the fix. I believe that this is the correct choice for two reasons:

(1) Domain name registrars have disallowed these characters for almost as long as they have allowed punycode, so it's unlikely there are legitimate domains using them.
(2) The consequences of disabling the fix are significant, and are likely non-obvious to most users.

Author: Max Kerr

src/System.Private.Uri/src/System/DomainNameHelper.cs

@@ -332,7 +332,12 @@ internal static unsafe string IdnEquivalent(char* hostname, int start, int end,
                 bidiStrippedHost = UriHelper.StripBidiControlCharacter(hostname, start, end - start);
                 try
                 {
-                    return s_idnMapping.GetAscii(bidiStrippedHost);
+                    string asciiForm = s_idnMapping.GetAscii(bidiStrippedHost);
+                    if (ContainsCharactersUnsafeForNormalizedHost(asciiForm))
+                    {
+                        throw new UriFormatException(SR.net_uri_BadUnicodeHostForIdn);
+                    }
+                    return asciiForm;
                 }
                 catch (ArgumentException)
                 {
@@ -536,5 +541,20 @@ private static bool IsValidDomainLabelCharacter(char character, ref bool notCano
 
             return false;
         }
+
+        // The Unicode specification allows certain code points to be normalized not to
+        // punycode, but to ASCII representations that retain the same meaning. For example,
+        // the codepoint U+00BC "Vulgar Fraction One Quarter" is normalized to '1/4' rather
+        // than being punycoded.
+        //
+        // This means that a host containing Unicode characters can be normalized to contain
+        // URI reserved characters, changing the meaning of a URI only when certain properties
+        // such as IdnHost are accessed. To be safe, disallow control characters in normalized hosts.
+        private static readonly char[] s_UnsafeForNormalizedHost = { '\\', '/', '?', '@', '#', ':', '[', ']' };
+
+        internal static bool ContainsCharactersUnsafeForNormalizedHost(string host)
+        {
+            return host.IndexOfAny(s_UnsafeForNormalizedHost) != -1;
+        }
     }
 }

src/System.Private.Uri/tests/FunctionalTests/IriTest.cs

@@ -2,8 +2,10 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 // See the LICENSE file in the project root for more information.
 
-using System.Text;
+using System.Collections.Generic;
 using System.Common.Tests;
+using System.Linq;
+using System.Text;
 
 using Xunit;
 
@@ -567,5 +569,33 @@ public void Iri_RelativeUriCreation_ShouldNotNormalize(string uriString)
             Assert.True(Uri.TryCreate(baseIri, href, out hrefAbsolute));
             Assert.Equal("http://www.contoso.com/%C3%A8", hrefAbsolute.AbsoluteUri);
         }
+
+        public static IEnumerable<object[]> AllForbiddenDecompositions() =>
+            from host in new[] { "canada.c\u2100.microsoft.com", // Unicode U+2100 'Account Of' decomposes to 'a/c'
+                                 "canada.c\u2488.microsoft.com", // Unicode U+2488 'Digit One Full Stop" decomposes to '1.'
+                                 "canada.c\u2048.microsoft.com", // Unicode U+2048 'Question Exclamation Mark" decomposes to '?!'
+                                 "canada.c\uD83C\uDD00.microsoft.com" } // Unicode U+2488 'Digit Zero Full Stop" decomposes to '0.'
+            from scheme in new[] { "http", // Known scheme.
+                                   "test" } // Unknown scheme.
+            select new object[] { scheme, host };
+
+        [Theory]
+        [MemberData(nameof(AllForbiddenDecompositions))]
+        public void Iri_AllForbiddenDecompositions_IdnHostThrows(string scheme, string host)
+        {
+            Uri uri = new Uri(scheme + "://" + host);
+            Assert.Throws<UriFormatException>(() => uri.IdnHost);
+        }
+
+        [Theory]
+        [MemberData(nameof(AllForbiddenDecompositions))]
+        public void Iri_AllForbiddenDecompositions_NonIdnPropertiesOk(string scheme, string host)
+        {
+            Uri uri = new Uri(scheme + "://" + host);
+            Assert.Equal(host, uri.Host);
+            Assert.Equal(host, uri.DnsSafeHost);
+            Assert.Equal(host, uri.Authority);
+            Assert.Equal(scheme + "://" + host + "/", uri.AbsoluteUri);
+        }
     }
 }