Imported Upstream version 5.10.0.47

Former-commit-id: d0813289fa2d35e1f8ed77530acb4fb1df441bc0

mcs/class/referencesource/System.Web/Cache/cache.cs

@@ -422,12 +422,11 @@ namespace System.Web.Caching {
             DateTime utcAbsoluteExpiration = DateTimeUtil.ConvertToUniversalTime(absoluteExpiration);
             ObjectCache.Insert(key, value, new CacheInsertOptions() {
                                                 Dependencies = dependencies,
-                                                AbsoluteExpiration = absoluteExpiration,
+                                                AbsoluteExpiration = utcAbsoluteExpiration,
                                                 SlidingExpiration = slidingExpiration
                                             });
         }
 
-
         public void Insert(
                 string key,
                 object value,

mcs/class/referencesource/System.Web/Configuration/FormsAuthPasswordFormat.cs

@@ -15,6 +15,9 @@ namespace System.Web.Configuration {
     public enum FormsAuthPasswordFormat {
         Clear,
         SHA1,
-        MD5
+        MD5,
+        SHA256,
+        SHA384,
+        SHA512
     }
 }

mcs/class/referencesource/System.Web/Configuration/HttpCapabilitiesBase.cs

@@ -139,7 +139,8 @@ namespace System.Web.Configuration {
             HttpCapabilitiesBase capabilities = null;
 
             // Get the config evaluator from the cached config object.
-            HttpCapabilitiesDefaultProvider capsbuilder = RuntimeConfig.GetConfig(request.Context).BrowserCaps;
+            HttpCapabilitiesDefaultProvider capsbuilder = request.Context.IsRuntimeErrorReported ?
+                RuntimeConfig.GetLKGConfig(request.Context).BrowserCaps : RuntimeConfig.GetConfig(request.Context).BrowserCaps;
             if (capsbuilder != null) {
                 if (BrowserCapabilitiesProvider != null) {
                     capsbuilder.BrowserCapabilitiesProvider = BrowserCapabilitiesProvider;

mcs/class/referencesource/System.Web/Hosting/ApplicationManager.cs

@@ -61,6 +61,7 @@ namespace System.Web.Hosting {
 
         private const string _clrQuirkAppSettingsAppContextPrefix = "AppContext.SetSwitch:";
         private const string _regexMatchTimeoutKey = "REGEX_DEFAULT_MATCH_TIMEOUT";
+        private const string _configBuildersIgnoreLoadFailuresSwitch = "ConfigurationBuilders.IgnoreLoadFailure";   // Keep in sync with System.Configuration
         private static readonly StrongName _mwiV1StrongName = GetMicrosoftWebInfrastructureV1StrongName();
 
         private static Object _applicationManagerStaticLock = new Object();
@@ -941,6 +942,8 @@ namespace System.Web.Hosting {
                 bool requireHostExecutionContextManager = false;
                 bool requireHostSecurityManager = false;
 
+                AppDomain.CurrentDomain.SetData(_configBuildersIgnoreLoadFailuresSwitch, true);
+
                 uncTokenConfig = appHost.GetConfigToken();
                 if (uncTokenConfig != IntPtr.Zero) {
                     ictxConfig = new ImpersonationContext(uncTokenConfig);

mcs/class/referencesource/System.Web/HttpApplication.cs.REMOVED.git-id

@@ -1 +1 @@
-1ec9a1266c7cff889676e8c9a7149a5bfb28aa80
+c50c8fea69b2d49a74fedb5b0e1b8c6ffe9d0238

mcs/class/referencesource/System.Web/HttpContext.cs

@@ -2006,6 +2006,10 @@ namespace System.Web {
             get { return (_notificationContext.CurrentNotificationFlags & FLAG_CHANGE_IN_USER_OBJECT) == FLAG_CHANGE_IN_USER_OBJECT; }
         }
 
+        internal bool IsRuntimeErrorReported {
+            get { return _runtimeErrorReported; }
+        }
+
         internal bool IsSendResponseHeaders {
             get { return (_notificationContext.CurrentNotificationFlags & FLAG_SEND_RESPONSE_HEADERS) == FLAG_SEND_RESPONSE_HEADERS; }
         }

mcs/class/referencesource/System.Web/HttpCookie.cs

@@ -18,6 +18,7 @@ namespace System.Web {
     using System.Security.Permissions;
     using System.Web.Configuration;
     using System.Web.Management;
+    using Util;
 
 
     /// <devdoc>
@@ -336,6 +337,82 @@ namespace System.Web {
             }
         }
 
+        /// <summary>
+        /// Converts the specified string representation of an HTTP cookie to HttpCookie
+        /// </summary>
+        /// <param name="input"></param>
+        /// <param name="result"></param>
+        /// <returns></returns>
+        public static bool TryParse(string input, out HttpCookie result) {
+            result = null;
+
+            if (string.IsNullOrEmpty(input)) {
+                return false;
+            }
+
+            // The substring before the first ';' is cookie-pair, with format of cookiename[=key1=val2&key2=val2&...]
+            int dividerIndex = input.IndexOf(';');
+            string cookiePair = dividerIndex >= 0 ? input.Substring(0, dividerIndex) : input;
+
+            HttpCookie cookie = HttpRequest.CreateCookieFromString(cookiePair.Trim());
+
+            // If there was no cookie name being created, stop parsing and return
+            if (string.IsNullOrEmpty(cookie.Name)) {
+                return false;
+            }
+
+            //
+            // Parse the collections of cookie-av 
+            // cookie-av = expires-av/max-age-av/domain-av/path-av/secure-av/httponly-av/extension-av
+            // https://tools.ietf.org/html/rfc6265 
+
+            while (dividerIndex >= 0 && dividerIndex < input.Length - 1) {
+                int cookieAvStartIndex = dividerIndex + 1;
+                dividerIndex = input.IndexOf(';', cookieAvStartIndex);
+                string cookieAv = dividerIndex >= 0 ? input.Substring(cookieAvStartIndex, dividerIndex - cookieAvStartIndex).Trim() : input.Substring(cookieAvStartIndex).Trim();
+
+                int assignmentIndex = cookieAv.IndexOf('=');
+                string attributeName = assignmentIndex >= 0 ? cookieAv.Substring(0, assignmentIndex).Trim() : cookieAv;
+                string attributeValue = assignmentIndex >= 0 && assignmentIndex < cookieAv.Length - 1 ? cookieAv.Substring(assignmentIndex + 1).Trim() : null;
+
+                //
+                // Parse supported cookie-av Attribute
+
+                //
+                // Expires
+                if (StringUtil.EqualsIgnoreCase(attributeName, "Expires")) {
+                    DateTime dt;
+                    if (DateTime.TryParse(attributeValue, out dt)) {
+                        cookie.Expires = dt;
+                    }
+                }
+                //
+                // Domain
+                else if (attributeValue != null && StringUtil.EqualsIgnoreCase(attributeName, "Domain")) {
+                    cookie.Domain = attributeValue;
+                }
+                //
+                // Path
+                else if (attributeValue != null && StringUtil.EqualsIgnoreCase(attributeName, "Path")) {
+                    cookie.Path = attributeValue;
+                }
+                //
+                // Secure
+                else if (StringUtil.EqualsIgnoreCase(attributeName, "Secure")) {
+                    cookie.Secure = true;
+                }
+                //
+                // HttpOnly
+                else if (StringUtil.EqualsIgnoreCase(attributeName, "HttpOnly")) {
+                    cookie.HttpOnly = true;
+                }
+            }
+
+            result = cookie;
+
+            return true;
+        }
+
         /*
          * Construct set-cookie header
          */

mcs/class/referencesource/System.Web/HttpResponse.cs.REMOVED.git-id

@@ -1 +1 @@
-b18ee02480d1132515fa9e2af07eef2f7cf3f51f
+69bc63a8366a6855c4496450567953cf5d8314fc

mcs/class/referencesource/System.Web/Security/Cryptography/CryptoAlgorithms.cs

@@ -81,6 +81,14 @@ namespace System.Web.Security.Cryptography {
             return new SHA256Cng();
         }
 
+        internal static SHA384 CreateSHA384() {
+            return new SHA384Cng();
+        }
+
+        internal static SHA512 CreateSHA512() {
+            return new SHA512Cng();
+        }
+
         [SuppressMessage("Microsoft.Cryptographic.Standard", "CA5353:TripleDESCannotBeUsed", Justification = @"This is only used by legacy code; new features do not use this algorithm.")]
         [Obsolete("3DES is deprecated and MUST NOT be used by new features. Consider using AES instead.")]
         internal static TripleDES CreateTripleDES() {

mcs/class/referencesource/System.Web/Security/FormsAuthentication.cs

@@ -63,6 +63,12 @@ namespace System.Web.Security {
                 hashAlgorithm = CryptoAlgorithms.CreateSHA1();
             else if (StringUtil.EqualsIgnoreCase(passwordFormat, "md5"))
                 hashAlgorithm = CryptoAlgorithms.CreateMD5();
+            else if (StringUtil.EqualsIgnoreCase(passwordFormat, "sha256"))
+                hashAlgorithm = CryptoAlgorithms.CreateSHA256();
+            else if (StringUtil.EqualsIgnoreCase(passwordFormat, "sha384"))
+                hashAlgorithm = CryptoAlgorithms.CreateSHA384();
+            else if (StringUtil.EqualsIgnoreCase(passwordFormat, "sha512"))
+                hashAlgorithm = CryptoAlgorithms.CreateSHA512();
             else
                 throw new ArgumentException(SR.GetString(SR.InvalidArgumentValue, "passwordFormat"));
 
@@ -346,6 +352,15 @@ namespace System.Web.Security {
 #pragma warning disable 618 // HashPasswordForStorignInConfigFile is now obsolete
             switch (settings.Forms.Credentials.PasswordFormat)
             {
+                case FormsAuthPasswordFormat.SHA256:
+                    encPassword = HashPasswordForStoringInConfigFile(password, "sha256");
+                    break;
+                case FormsAuthPasswordFormat.SHA384:
+                    encPassword = HashPasswordForStoringInConfigFile(password, "sha384");
+                    break;
+                case FormsAuthPasswordFormat.SHA512:
+                    encPassword = HashPasswordForStoringInConfigFile(password, "sha512");
+                    break;
                 case FormsAuthPasswordFormat.SHA1:
                     encPassword = HashPasswordForStoringInConfigFile(password, "sha1");
                     break;

mcs/class/referencesource/System.Web/Security/Membership.cs

@@ -399,6 +399,13 @@ namespace System.Web.Security {
                     MembershipSection settings = appConfig.Membership;
                     generalSettingsInitialized = InitializeSettings(initializeGeneralSettings, appConfig, settings);
                     defaultProviderInitialized = InitializeDefaultProvider(initializeDefaultProvider, settings);
+
+                    // VSO #265267 log warning in event log when using clear password and encrypted password in Membership provider
+                    // VSO #433626 In order to minimize the behavior change, we are going to read the password format from the config settings only instead of getting from the provider class
+                    // Also allow user to opt-out this feature.
+                    if (AppSettings.LogMembershipPasswordFormatWarning) {
+                        CheckedPasswordFormat(settings);
+                    }
                 } catch (Exception e) {
                     s_InitializeException = e;
                     throw;
@@ -412,23 +419,23 @@ namespace System.Web.Security {
                 if (defaultProviderInitialized) {
                     s_InitializedDefaultProvider = true;
                 }
-                // VSO #265267 log warning in event log when using clear password and encrypted password in Membership provider
-                // VSO #366114 Move this to only after the initialization has fully completed.
-                if (s_Initialized && s_InitializedDefaultProvider) {
-                     CheckedPasswordFormat(s_Providers);
-                 }
             }
         }
 
         // VSO #265267 we want to log a warning in the event log, whenever detect using clear password or encrypted password formats settings in Membership provider
-        private static void CheckedPasswordFormat(MembershipProviderCollection providers) {
+        // VSO #433626 In order to minimize the behavior change, we are going to read the password format from the config settings only instead of getting from the provider class
+        private static void CheckedPasswordFormat(MembershipSection settings) {
             //VSO #294931 Since this is an optional feature, we want to prevent any corner cases that were not able to return the password format. In those cases, we will just do nothing and not log any warnings.
             try {
-
-                foreach (MembershipProvider p in providers) {
-                    if (p != null && (p.PasswordFormat == MembershipPasswordFormat.Clear || p.PasswordFormat == MembershipPasswordFormat.Encrypted)) {
-                        string providerName = p.Name ?? string.Empty;
-                        WebBaseEvent.RaiseRuntimeError(new ConfigurationErrorsException(SR.GetString(SR.MembershipPasswordFormat_Obsoleted, providerName, p.PasswordFormat)), typeof(MembershipProvider));
+                if (settings != null && settings.Providers != null) {
+                    foreach (ProviderSettings ps in settings.Providers) {
+                        if (ps != null && ps.Parameters != null) {
+                            string passwordFormat = ps.Parameters["passwordFormat"];
+                            if (StringUtil.EqualsIgnoreCase(passwordFormat, "Clear") || StringUtil.EqualsIgnoreCase(passwordFormat, "Encrypted")) {
+                                string providerName = ps.Name ?? string.Empty;
+                                WebBaseEvent.RaiseRuntimeError(new ConfigurationErrorsException(SR.GetString(SR.MembershipPasswordFormat_Obsoleted, providerName, passwordFormat)), typeof(MembershipProvider));
+                            }
+                        }
                     }
                 }
             }

mcs/class/referencesource/System.Web/System.Web.txt.REMOVED.git-id

@@ -1 +1 @@
-c7e6ceda08b7223000ab50091f7d0699cc606d9f
+987a5ccfa8b8156f4c97bd15dc330af20d907e6d

mcs/class/referencesource/System.Web/Util/AppSettings.cs

@@ -133,6 +133,9 @@ namespace System.Web.Util {
                             if (settings == null || !int.TryParse(settings["aspnet:RequestQueueLimitPerSession"], out _requestQueueLimitPerSession) || _requestQueueLimitPerSession < 0)
                                 _requestQueueLimitPerSession = BinaryCompatibility.Current.TargetsAtLeastFramework463 ? DefaultRequestQueueLimitPerSession : UnlimitedRequestsPerSession;
 
+                            if (settings == null || !Boolean.TryParse(settings["aspnet:LogMembershipPasswordFormatWarning"], out _logMembershipPasswordFormatWarning))
+                                _logMembershipPasswordFormatWarning = true;
+
                             _settingsInitialized = true;
                         }
                     }
@@ -506,5 +509,15 @@ namespace System.Web.Util {
                 return _requestQueueLimitPerSession;
             }
         }
+
+        // true [default] to log warning if password format is not secure
+        // false -- Not to log warning if password format is not secure
+        private static bool _logMembershipPasswordFormatWarning;
+        internal static bool LogMembershipPasswordFormatWarning {
+            get {
+                EnsureSettingsLoaded();
+                return _logMembershipPasswordFormatWarning;
+            }
+        }
     }
 }