[Blazor][Fixes #15399]The Blazor descriptor can contain two consecutive dashes (#15412)

javiercn · web-flow · commit c94b2dd06187 · 2019-10-28T10:59:43.000+01:00
* We Base64 encode the descriptor instead of Base64Url encode it as data protection does with its string overload.
* It uses "+/" instead of "-_", both of which are safe inside HTML
  comments.
* The descriptors are not sent in any url, nor are present inside headers
  or similar, so Base64 encoding them is fine.
diff --git a/src/Components/Server/src/Circuits/ServerComponentDeserializer.cs b/src/Components/Server/src/Circuits/ServerComponentDeserializer.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Collections.Generic;
+using System.Text;
 using System.Text.Json;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.Extensions.Logging;
@@ -153,7 +154,9 @@ public bool TryDeserializeComponentDescriptorCollection(string serializedCompone
             string unprotected;
             try
             {
-                unprotected = _dataProtector.Unprotect(record.Descriptor);
+                var payload = Convert.FromBase64String(record.Descriptor);
+                var unprotectedBytes = _dataProtector.Unprotect(payload);
+                unprotected = Encoding.UTF8.GetString(unprotectedBytes);
             }
             catch (Exception e)
             {
diff --git a/src/Mvc/Mvc.ViewFeatures/src/ServerComponentSerializer.cs b/src/Mvc/Mvc.ViewFeatures/src/ServerComponentSerializer.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Collections.Generic;
+using System.Text;
 using System.Text.Json;
 using Microsoft.AspNetCore.Components;
 using Microsoft.AspNetCore.DataProtection;
@@ -43,7 +44,9 @@ public ServerComponentMarker SerializeInvocation(ServerComponentInvocationSequen
                 invocationId.Value);
 
             var serializedServerComponent = JsonSerializer.Serialize(serverComponent, ServerComponentSerializationSettings.JsonSerializationOptions);
-            return (serverComponent.Sequence, _dataProtector.Protect(serializedServerComponent, ServerComponentSerializationSettings.DataExpiration));
+            var serializedServerComponentBytes = JsonSerializer.SerializeToUtf8Bytes(serverComponent, ServerComponentSerializationSettings.JsonSerializationOptions);
+            var protectedBytes = _dataProtector.Protect(serializedServerComponentBytes, ServerComponentSerializationSettings.DataExpiration);
+            return (serverComponent.Sequence, Convert.ToBase64String(protectedBytes));
         }
 
         internal IEnumerable<string> GetPreamble(ServerComponentMarker record)

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@`
`3`	`3`
`4`	`4`	`using System;`
`5`	`5`	`using System.Collections.Generic;`
	`6`	`+using System.Text;`
`6`	`7`	`using System.Text.Json;`
`7`	`8`	`using Microsoft.AspNetCore.DataProtection;`
`8`	`9`	`using Microsoft.Extensions.Logging;`
`@@ -153,7 +154,9 @@ public bool TryDeserializeComponentDescriptorCollection(string serializedCompone`
`153`	`154`	`string unprotected;`
`154`	`155`	`try`
`155`	`156`	`{`
`156`		`- unprotected = _dataProtector.Unprotect(record.Descriptor);`
	`157`	`+ var payload = Convert.FromBase64String(record.Descriptor);`
	`158`	`+ var unprotectedBytes = _dataProtector.Unprotect(payload);`
	`159`	`+ unprotected = Encoding.UTF8.GetString(unprotectedBytes);`
`157`	`160`	`}`
`158`	`161`	`catch (Exception e)`
`159`	`162`	`{`