Detect CR/LF and URL-encoded CR/LF in FtpWebRequest URI and command parameters

[Copilot]

FtpWebRequest already rejects URIs containing a literal \r\n with a clear FormatException, but standalone \r or \n and the URL-encoded forms %0D / %0A slip past the check and fail later with a less informative exception — a common case when a stray CR/LF from upstream parsing gets URL-encoded for safety, or when a non-compliant URI contains only one of the two characters. The same gap existed in FtpControlStream.FormatFtpCommand, which only checked for literal \r\n in command parameters.

Changes

• src/libraries/System.Net.Requests/src/System/Net/FtpWebRequest.cs: Extend the constructor's newline check to detect any of \r, \n, %0D, %0A individually (case-insensitive for the encoded forms), throwing the same FormatException (net_ftp_no_newlines) up front.
• src/libraries/System.Net.Requests/src/System/Net/FtpControlStream.cs: Extend FormatFtpCommand to check for literal \r and \n in command parameters. Note: URL-encoded forms are not checked here because parameters are already unescaped when they reach FormatFtpCommand, so checking for literal "%0A" or "%0D" strings would incorrectly reject legitimate filenames containing those character sequences.
• src/libraries/System.Net.Requests/src/Resources/Strings.resx: Updated the net_ftp_no_newlines resource string from "CRLF character pair is not allowed in FtpWebRequest inputs." to "CR and LF characters are not allowed in FtpWebRequest inputs." to accurately reflect that individual CR and LF characters (and their URL-encoded forms in URIs) are each disallowed.
• src/libraries/System.Net.Requests/tests/FtpWebRequestTest.cs:
  • Add Ctor_NewLineInUri_ThrowsFormatException theory covering literal \r\n, standalone \r and \n, and the %0D%0A / %0D / %0A (upper and lower case) variants.
  • Add Ftp_NewLineInRenameTo_GetResponse_Throws_FormatException_As_InnerException theory that exercises the new FormatFtpCommand check via the RenameTo property, gated with [ConditionalTheory(typeof(FtpWebRequestTest), nameof(LocalServerAvailable))] and using the shared absoluteUri, asserting that each literal \r, \n, \r\n variant results in a WebException whose InnerException is a FormatException.
  • Extend the existing Ftp_Ignore_NewLine_GetRequestStream_And_GetResponse_Throws_FormatException_As_InnerException test (previously a [ConditionalFact] covering only literal \r\n) into a [ConditionalTheory] with InlineData for each literal \r, \n, \r\n variant applied to both the username and password of the NetworkCredential.

// URI validation (checks both literal and URL-encoded)
if (uri.OriginalString.AsSpan().ContainsAny('\r', '\n') ||
    uri.OriginalString.Contains("%0A", StringComparison.OrdinalIgnoreCase) ||
    uri.OriginalString.Contains("%0D", StringComparison.OrdinalIgnoreCase))
    throw new FormatException(SR.net_ftp_no_newlines);

// FormatFtpCommand validation (checks only literal CR/LF)
if (parameter is not null && parameter.AsSpan().ContainsAny('\r', '\n'))
    throw new FormatException(SR.net_ftp_no_newlines);

[dotnet-policy-service]

Tagging subscribers to this area: @karelz, @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

[mrek-msft]

@copilot add support for checking all \n, \r, %0D, %0A separately, so we detect even wrong and non-compliant at once requests.

[Copilot]

@copilot add support for checking all \n, \r, %0D, %0A separately, so we detect even wrong and non-compliant at once requests.

Done in de62365 — the check now matches any of \r, \n, %0D, %0A individually (case-insensitive for the encoded forms), and the test theory covers each variant.

Note

This response was generated by GitHub Copilot.

[mrek-msft]

@copilot. Add similar check (for each 4 separately) to FormatFtpCommand in src\System\Net\FtpControlStream.cs.

[Copilot]

@copilot process review comment and along the way you can extend already existing test Ftp_Ignore_NewLine_GetRequestStream_And_GetResponse_Throws_FormatException_As_InnerException with support for o...

Done in 7096392 — converted Ftp_Ignore_NewLine_GetRequestStream_And_GetResponse_Throws_FormatException_As_InnerException to a ConditionalTheory with InlineData for each variant (\r\n, \r, \n, %0D%0A, %0D, %0A, upper/lower case) applied to both the username and password of the NetworkCredential, matching the same set covered by the URI ctor and RenameTo theories.

Note

This response was generated by GitHub Copilot.

[Copilot]

Pull request overview

This PR tightens FTP input validation to reject newline characters earlier and more consistently, both in FtpWebRequest URI handling and when formatting FTP control commands, with corresponding test coverage.

Changes:

• Extend FtpWebRequest construction-time validation to reject \r, \n, and %0D/%0A in the URI’s original string.
• Extend FtpControlStream.FormatFtpCommand validation similarly for command parameters.
• Add/expand xUnit theories to cover the new rejection cases (URI ctor, credentials, and RenameTo).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
src/libraries/System.Net.Requests/src/System/Net/FtpWebRequest.cs	Broaden newline detection in the internal constructor to reject CR/LF and %0D/%0A.
src/libraries/System.Net.Requests/src/System/Net/FtpControlStream.cs	Broaden FormatFtpCommand validation to reject CR/LF and %0D/%0A in parameters.
src/libraries/System.Net.Requests/tests/FtpWebRequestTest.cs	Add theories covering literal and encoded newline variants across URI construction and command-parameter paths.