2007-04-24 Marek Habersack <[email protected]>

	* HttpRequest.cs: MS.NET throws HttpException for invalid paths,
	not ArgumentNullException.

	* HttpException.cs: wrap GetHtmlErrorMessage internals in
	try/catch to capture possible exceptions in HttpContext.

	* HttpContext.cs: IsCustomErrorEnabled is used from within
	HttpException, make sure it gets the section in a safe way and
	resorts to the default settings.
	
	* HttpResponse.cs: HeaderEncoding is used in the same context as
	above. Take the same precautions.

2007-04-24  Marek Habersack  <[email protected]>

	* WebConfigurationHost.cs: wrap MapPath calls in try/catch,
	because bad URLs can cause it to throw exceptions. If such
	exception is caught, throw a HttpException for Bad Request (400).

	* WebConfigurationManager.cs: added two internal methods for safe
	retrieval of config sections.


svn path=/trunk/mcs/; revision=76162

mcs/class/System.Web/System.Web.Configuration_2.0/ChangeLog

@@ -1,3 +1,12 @@
+2007-04-24  Marek Habersack  <[email protected]>
+
+	* WebConfigurationHost.cs: wrap MapPath calls in try/catch,
+	because bad URLs can cause it to throw exceptions. If such
+	exception is caught, throw a HttpException for Bad Request (400).
+
+	* WebConfigurationManager.cs: added two internal methods for safe
+	retrieval of config sections.
+
 2007-04-19  Marek Habersack  <[email protected]>
 
 	* HttpHandlerAction.cs: look up types in all the toplevel

mcs/class/System.Web/System.Web.Configuration_2.0/WebConfigurationHost.cs

@@ -166,8 +166,12 @@ namespace System.Web.Configuration
 				return GetWebConfigFileName (mdir);
 			}
 			
-			string dir = MapPath (configPath);
-			return GetWebConfigFileName (dir);
+			try {
+				string dir = MapPath (configPath);
+				return GetWebConfigFileName (dir);
+			} catch (Exception ex) {
+				throw new HttpException (400, "Bad Request");
+			}
 		}
 		
 		public virtual string GetStreamNameForConfigSource (string streamName, string configSource)
@@ -235,8 +239,7 @@ namespace System.Web.Configuration
 		{
 			if (map != null)
 				return MapPathFromMapper (virtualPath);
-			else if (HttpContext.Current != null
-				 && HttpContext.Current.Request != null)
+			else if (HttpContext.Current != null && HttpContext.Current.Request != null)
 				return HttpContext.Current.Request.MapPath (virtualPath);
 			else if (HttpRuntime.AppDomainAppVirtualPath != null &&
 				 virtualPath.StartsWith (HttpRuntime.AppDomainAppVirtualPath)) {
@@ -245,8 +248,8 @@ namespace System.Web.Configuration
 				return UrlUtils.Combine (HttpRuntime.AppDomainAppPath,
 							 virtualPath.Substring (HttpRuntime.AppDomainAppVirtualPath.Length));
 			}
-			else
-				return virtualPath;
+			
+			return virtualPath;
 		}
 		
 		public string NormalizeVirtualPath (string virtualPath)

mcs/class/System.Web/System.Web.Configuration_2.0/WebConfigurationManager.cs

@@ -223,6 +223,28 @@ namespace System.Web.Configuration {
 			return OpenMappedMachineConfiguration (fileMap);
 		}
 
+		internal static object SafeGetSection (string sectionName, Type configSectionType)
+		{
+			try {
+				return GetSection (sectionName);
+			} catch (Exception) {
+				if (configSectionType != null)
+					return Activator.CreateInstance (configSectionType);
+				return null;
+			}
+		}
+		
+		internal static object SafeGetSection (string sectionName, string path, Type configSectionType)
+		{
+			try {
+				return GetSection (sectionName, path);
+			} catch (Exception) {
+				if (configSectionType != null)
+					return Activator.CreateInstance (configSectionType);
+				return null;
+			}
+		}
+		
 		public static object GetSection (string sectionName)
 		{
 			string path = (HttpContext.Current != null

mcs/class/System.Web/System.Web/ChangeLog

@@ -1,3 +1,18 @@
+2007-04-24  Marek Habersack  <[email protected]>
+
+	* HttpRequest.cs: MS.NET throws HttpException for invalid paths,
+	not ArgumentNullException.
+
+	* HttpException.cs: wrap GetHtmlErrorMessage internals in
+	try/catch to capture possible exceptions in HttpContext.
+
+	* HttpContext.cs: IsCustomErrorEnabled is used from within
+	HttpException, make sure it gets the section in a safe way and
+	resorts to the default settings.
+	
+	* HttpResponse.cs: HeaderEncoding is used in the same context as
+	above. Take the same precautions.
+	
 2007-04-22 Joshua Tauberer <[email protected]>
  
  	* HttpParamsCollection.cs: Fix IndexOutOfRangeException.

mcs/class/System.Web/System.Web/HttpContext.cs

@@ -174,7 +174,7 @@ namespace System.Web {
 		public bool IsCustomErrorEnabled {
 			get {
 #if NET_2_0
-				CustomErrorsSection cfg = (CustomErrorsSection) WebConfigurationManager.GetSection ("system.web/customErrors");
+				CustomErrorsSection cfg = WebConfigurationManager.SafeGetSection ("system.web/customErrors", typeof (CustomErrorsSection)) as CustomErrorsSection;
 #else
 				CustomErrorsConfig cfg = null;
 				try {

mcs/class/System.Web/System.Web/HttpException.cs

@@ -103,13 +103,20 @@ namespace System.Web
 
 		public string GetHtmlErrorMessage ()
 		{
-			if (HttpContext.Current.IsCustomErrorEnabled)
+			try {
+				if (HttpContext.Current.IsCustomErrorEnabled)
+					return GetCustomErrorDefaultMessage ();
+				
+				if (!(this.InnerException is HtmlizedException))
+					return GetDefaultErrorMessage ();
+				
+				return GetHtmlizedErrorMessage ();
+			} catch {
+				// we need the try/catch block in case the
+				// problem was with MapPath, which will cause
+				// IsCustomErrorEnabled to throw an exception
 				return GetCustomErrorDefaultMessage ();
-			
-			if (!(this.InnerException is HtmlizedException))
-				return GetDefaultErrorMessage ();
-
-			return GetHtmlizedErrorMessage ();
+			}
 		}
 
 		internal virtual string Description {
@@ -135,6 +142,7 @@ table.sampleCode {{width: 100%; background-color: #ffffcc; }}
 .version {{color: gray;}}
 .error {{margin-bottom: 10px;}}
 .expandable {{ text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }}", errorStyleFonts);
+
 			builder.AppendFormat (
 				"</style></head><body><h1>Server Error in '{0}' Application</h1><hr style=\"color: silver\"/>",
 				HtmlEncode (HttpRuntime.AppDomainAppVirtualPath));

mcs/class/System.Web/System.Web/HttpRequest.cs

@@ -1084,8 +1084,7 @@ namespace System.Web {
 			}
 
 			if (virtualPath.IndexOf (':') != -1)
-				throw new ArgumentNullException (
-					String.Format ("MapPath: Invalid path '{0}', only virtual paths are accepted", virtualPath));
+				throw new HttpException (String.Format ("'{0}' is not a valid virtual path.", virtualPath));
 
 			string appVirtualPath = HttpRuntime.AppDomainAppVirtualPath;
 

mcs/class/System.Web/System.Web/HttpResponse.cs

@@ -257,8 +257,8 @@ namespace System.Web {
 		public Encoding HeaderEncoding {
 			get {
 				if (headerEncoding == null) {
-					GlobalizationSection gs = WebConfigurationManager.GetSection ("system.web/globalization")
-						as GlobalizationSection;
+					GlobalizationSection gs = WebConfigurationManager.SafeGetSection ("system.web/globalization", typeof (GlobalizationSection)) as GlobalizationSection;
+
 					if (gs == null)
 						headerEncoding = Encoding.UTF8;
 					else {