Merge branch 'master' into ca5366

Author: LLLXXXCCC

docs/code-quality/ca5365.md

@@ -0,0 +1,68 @@
+---
+title: "CA5365: Do Not Disable HTTP Header Checking"
+description: Provides information about code analysis rule CA5365, including causes, how to fix violations, and when to suppress it.
+ms.date: 04/29/2020
+ms.topic: reference
+author: LLLXXXCCC
+ms.author: linche
+manager: jillfra
+ms.workload:
+  - "multiple"
+f1_keywords:
+  - "CA5365"
+---
+# CA5364: Do Not Disable HTTP Header Checking
+
+|||
+|-|-|
+|CheckId|CA5365|
+|Category|Microsoft.Security|
+|Breaking change|Non-breaking|
+
+## Cause
+
+Set <xref:System.Web.Configuration.HttpRuntimeSection.EnableHeaderChecking> to false.
+
+## Rule description
+
+HTTP header checking enables encoding of the carriage return and newline characters, \r and \n, that are found in response headers. This encoding can help to avoid injection attacks that exploit an application that echoes untrusted data contained in the header.
+
+## How to fix violations
+
+Set <xref:System.Web.Configuration.HttpRuntimeSection.EnableHeaderChecking> to true. Or, remove the assignment to false because the default value is true.
+
+## When to suppress warnings
+
+HTTP header continuations rely on headers spanning multiple lines and require new lines in them. If you need to use header continuations, you need to set the <xref:System.Web.Configuration.HttpRuntimeSection.EnableHeaderChecking> property to false. There is a performance impact from checking the headers. If you are certain you are already doing the right checks, turning off this feature can improve the performance of your application. Before you disable this feature, be sure you are already taking the right precautions in this area.
+
+## Pseudo-code examples
+
+```csharp
+using System;
+using System.Web.Configuration;
+
+class TestClass
+{
+    public void TestMethod()
+    {
+        HttpRuntimeSection httpRuntimeSection = new HttpRuntimeSection();
+        httpRuntimeSection.EnableHeaderChecking = false;
+    }
+}
+```
+
+### Solution
+
+```csharp
+using System;
+using System.Web.Configuration;
+
+class TestClass
+{
+    public void TestMethod()
+    {
+        HttpRuntimeSection httpRuntimeSection = new HttpRuntimeSection();
+        httpRuntimeSection.EnableHeaderChecking = true;
+    }
+}
+```

docs/code-quality/code-analysis-warnings-for-managed-code-by-checkid.md

@@ -540,5 +540,6 @@ The following table lists Code Analysis warnings for managed code by the CheckId
 | CA2245 | [CA2245: Do not assign a property to itself](../code-quality/ca2245.md) | A property was accidentally assigned to itself. |
 | CA2246 | [CA2246: Do not assign a symbol and its member in the same statement](../code-quality/ca2246.md) | Assigning a symbol and its member, that is, a field or a property, in the same statement is not recommended. It is not clear if the member access was intended to use the symbol's old value prior to the assignment or the new value from the assignment in this statement. |
 | CA5122 | [CA5122 P/Invoke declarations should not be safe critical](../code-quality/ca5122.md) | Methods are marked as SecuritySafeCritical when they perform a security sensitive operation, but are also safe to be used by transparent code. Transparent code may never directly call native code through a P/Invoke. Therefore, marking a P/Invoke as security safe critical will not enable transparent code to call it, and is misleading for security analysis. |
+| CA5365 | [CA5365 Do Not Disable HTTP Header Checking](../code-quality/ca5365.md) | HTTP header checking enables encoding of the carriage return and newline characters, \r and \n, that are found in response headers. This encoding can help to avoid injection attacks that exploit an application that echoes untrusted data contained by the header. |
 | CA5366 | [CA5366 Use XmlReader For DataSet Read XML](../code-quality/ca5366.md) | Using a <xref:System.Data.DataSet> to read XML with untrusted data may load dangerous external references, which should be restricted by using an <xref:System.Xml.XmlReader> with a secure resolver or with DTD processing disabled. |
 | CA5374 | [CA5374 Do Not Use XslTransform](../code-quality/ca5374.md) | This rule checks if <xref:System.Xml.Xsl.XslTransform?displayProperty=nameWithType> is instantiated in the code. <xref:System.Xml.Xsl.XslTransform?displayProperty=nameWithType> is now obsolete and shouldn’t be used. |

docs/code-quality/install-fxcop-analyzers.md

@@ -66,8 +66,9 @@ Use the following guidelines to determine which version of the FxCop analyzers p
 
 | Visual Studio version | FxCop analyzer package version |
 | - | - |
-| Visual Studio 2019 (all versions)<br />Visual Studio 2017 version 15.8 and later | [latest](https://www.nuget.org/packages/Microsoft.CodeAnalysis.FxCopAnalyzers/) |
-| Visual Studio 2017 version 15.5 to 15.7 | [2.6.3](https://www.nuget.org/packages/Microsoft.CodeAnalysis.FxCopAnalyzers/2.6.3) |
+| Visual Studio 2019 (all versions) | [latest](https://www.nuget.org/packages/Microsoft.CodeAnalysis.FxCopAnalyzers/) | 
+| Visual Studio 2017 version 15.9 | [2.9.9](https://www.nuget.org/packages/Microsoft.CodeAnalysis.FxCopAnalyzers/2.9.9) |
+| Visual Studio 2017 version 15.5 to 15.8 | [2.6.4](https://www.nuget.org/packages/Microsoft.CodeAnalysis.FxCopAnalyzers/2.6.4) |
 | Visual Studio 2017 version 15.3 to 15.4 | [2.3.0-beta1](https://www.nuget.org/packages/Microsoft.CodeAnalysis.FxCopAnalyzers/2.3.0-beta1) |
 | Visual Studio 2017 version 15.0 to 15.2 | [2.0.0-beta2](https://www.nuget.org/packages/Microsoft.CodeAnalysis.FxCopAnalyzers/2.0.0-beta2) |
 | Visual Studio 2015 update 2 and 3 | [1.2.0-beta2](https://www.nuget.org/packages/Microsoft.CodeAnalysis.FxCopAnalyzers/1.2.0-beta2) |

docs/code-quality/security-warnings.md

@@ -103,6 +103,7 @@ Security warnings support safer libraries and applications. These warnings help
 |[CA5361: Do not disable SChannel use of strong crypto](../code-quality/ca5361.md)|Setting `Switch.System.Net.DontEnableSchUseStrongCrypto` to `true` weakens the cryptography used in outgoing Transport Layer Security (TLS) connections. Weaker cryptography can compromise the confidentiality of communication between your application and the server, making it easier for attackers to eavesdrop sensitive data.|
 |[CA5363: Do not disable request validation](../code-quality/ca5363.md)|Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content that can lead to injection attacks, including cross-site-scripting.|
 |[CA5364: Do not use deprecated security protocols](../code-quality/ca5364.md)|Transport Layer Security (TLS) secures communication between computers, most commonly with Hypertext Transfer Protocol Secure (HTTPS). Older protocol versions of TLS are less secure than TLS 1.2 and TLS 1.3 and are more likely to have new vulnerabilities. Avoid older protocol versions to minimize risk.|
+|[CA5365: Do Not Disable HTTP Header Checking](../code-quality/ca5365.md)|HTTP header checking enables encoding of the carriage return and newline characters, \r and \n, that are found in response headers. This encoding can help to avoid injection attacks that exploit an application that echoes untrusted data contained by the header.|
 |[CA5366: Use XmlReader For DataSet Read XML](../code-quality/ca5366.md)|Using a <xref:System.Data.DataSet> to read XML with untrusted data may load dangerous external references, which should be restricted by using an <xref:System.Xml.XmlReader> with a secure resolver or with DTD processing disabled.|
 |[CA5369: Use XmlReader for Deserialize](../code-quality/ca5369.md)|Processing untrusted DTD and XML schemas may enable loading dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD and XML inline schema processing disabled.|
 |[CA5370: Use XmlReader for validating reader](../code-quality/ca5370.md)|Processing untrusted DTD and XML schemas may enable loading dangerous external references. This dangerous loading can be restricted by using an XmlReader with a secure resolver or with DTD and XML inline schema processing disabled.|
@@ -115,5 +116,5 @@ Security warnings support safer libraries and applications. These warnings help
 |[CA5381: Ensure certificates are not added to root store](../code-quality/ca5381.md)|This rule detects code that potentially adds a certificate into the Trusted Root Certification Authorities certificate store. By default, the Trusted Root Certification Authorities certificate store is configured with a set of public certification authorities (CAs) that has met the requirements of the Microsoft Root Certificate Program.|
 |[CA5386: Avoid hardcoding SecurityProtocolType value](../code-quality/ca5386.md)|Transport Layer Security (TLS) secures communication between computers, most commonly with Hypertext Transfer Protocol Secure (HTTPS). Protocol versions TLS 1.0 and TLS 1.1 are deprecated, while TLS 1.2 and TLS 1.3 are current. In the future, TLS 1.2 and TLS 1.3 may be deprecated. To ensure that your application remains secure, avoid hardcoding a protocol version and target at least .NET Framework v4.7.1.|
 |[CA5389: Do not add archive item's path to the target file system path](../code-quality/ca5389.md)|File path can be relative and can lead to file system access outside of the expected file system target path, leading to malicious config changes and remote code execution via lay-and-wait technique.|
-|[CA5397: Do not use deprecated SslProtocols values](../code-quality/ca5397.md)|ransport Layer Security (TLS) secures communication between computers, most commonly with Hypertext Transfer Protocol Secure (HTTPS). Older protocol versions of TLS are less secure than TLS 1.2 and TLS 1.3 and are more likely to have new vulnerabilities. Avoid older protocol versions to minimize risk.|
+|[CA5397: Do not use deprecated SslProtocols values](../code-quality/ca5397.md)|Transport Layer Security (TLS) secures communication between computers, most commonly with Hypertext Transfer Protocol Secure (HTTPS). Older protocol versions of TLS are less secure than TLS 1.2 and TLS 1.3 and are more likely to have new vulnerabilities. Avoid older protocol versions to minimize risk.|
 |[CA5398: Avoid hardcoded SslProtocols values](../code-quality/ca5398.md)|Transport Layer Security (TLS) secures communication between computers, most commonly with Hypertext Transfer Protocol Secure (HTTPS). Protocol versions TLS 1.0 and TLS 1.1 are deprecated, while TLS 1.2 and TLS 1.3 are current. In the future, TLS 1.2 and TLS 1.3 may be deprecated. To ensure that your application remains secure, avoid hardcoding a protocol version.|

docs/code-quality/toc.yml

@@ -752,6 +752,8 @@
           href: ca5363.md
         - name: "CA5364: Do not use deprecated security protocols"
           href: ca5364.md
+        - name: "CA5365: Do Not Disable HTTP Header Checking"
+          href: ca5365.md
         - name: "CA5366: Use XmlReader For DataSet Read XML"
           href: ca5366.md
         - name: "CA5369: Use XmlReader for Deserialize"

docs/install/uninstall-visual-studio.md

@@ -2,7 +2,7 @@
 title: Uninstall Visual Studio
 titleSuffix: ''
 description: Learn how to uninstall Visual Studio, step-by-step.
-ms.date: 12/19/2019
+ms.date: 05/06/2020
 ms.custom: seodec18
 ms.topic: conceptual
 f1_keywords:
@@ -24,6 +24,13 @@ This page walks you through uninstalling Visual Studio, our integrated suite of
 > [!NOTE]
 > This topic applies to Visual Studio on Windows. For Visual Studio for Mac, see [Uninstall Visual Studio for Mac](/visualstudio/mac/uninstall).
 
+> [!TIP]
+> If you're having trouble with your instance of Visual Studio, try the **Repair** tool. For more information, see [Repair Visual Studio](../install/repair-visual-studio.md). 
+>
+> If you want to change the location for some of your Visual Studio files, it's possible to do so without uninstalling your current instance. For more information, see [Select the installation locations in Visual Studio](../install/change-installation-locations.md).
+>
+> For general troubleshooting tips, see [Troubleshoot Visual Studio installation and upgrade issues](../install/troubleshooting-installation-issues.md).
+
 ::: moniker range="vs-2017"
 
 1. Find the Visual Studio Installer on your computer.