Announcements icon indicating copy to clipboard operation
Announcements copied to clipboard

Published 20 hours ago verified publisher icon aspnet

[Breaking change]: Static files, default document, and directory browsing middleware no longer no-op when an endpoint with a null RequestDelegate is active

Open DamianEdwards opened this issue 2 years ago • 0 comments

Description

As detailed in dotnet/aspnetcore#42413, the file-serving middleware (DefaultFilesMiddleware, DirectoryBrowserMiddleware, and StaticFileMiddleware) have been updated to no longer no-op (i.e. defer to the next middleware in the pipeline) in the case that there is an active endpoint with a null request delegate.

PR that makes the change: dotnet/aspnetcore#42458

Version

.NET 7 Preview 7

Previous behavior

Previously, if the current request had an active endpoint, i.e. HttpContext.GetEndpoint() != null, the file-serving middleware would perform no action and simply delegate to the next middleware in the request pipeline.

New behavior

The file-serving middleware will now only perform no action if there is an active endpoint and its RequestDelegate property value is not null, i.e. HttpContext.GetEndpoint()?.RequestDelegate is not null.

Type of breaking change

  • [ ] Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load/execute or different run-time behavior.
  • [ ] Source incompatible: Source code may encounter a breaking change in behavior when targeting the new runtime/component/SDK, such as compile errors or different run-time behavior.
  • [X] Behavioral change: Existing code and binaries may experience different run-time behavior.

Reason for change

This change will enable endpoints to be active in the request for the purposes of setting and sharing metadata with middleware that are endpoint-aware so that they can perform their intended function, while allowing other middleware (like the file-serving middleware) that would usually defer their behavior when an endpoint is active to also function.

For example, an endpoint with a null request delegate containing authorization metadata can be set as the active endpoint for a request, causing the AuthorizationMiddleware to enforce authorization requirements, which if satisfied would allow the StaticFileMiddleware to serve the requested files.

Recommended action

If you are relying on setting an active endpoint on the request to suppress the behavior of the file-serving middleware, ensure that the endpoint has a non-null value set for its RequestDelegate property.

Affected APIs

  • IApplicationBuilder.UseStaticFiles()
  • IApplicationBuilder.UseDefaultFiles()
  • IApplicationBuilder.UseDirectoryBrowser()

DamianEdwards avatar Jun 28 '22 18:06 DamianEdwards