[release/9.0] Forwarded Headers Middleware: Ignore XForwardedHeaders from Unknown Proxy #61622
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
April 22, 2025 22:31
ghost
added
the
area-middleware
3 tasks
dotnet-policy-service
bot
added
the
pending-ci-rerun
wtgodbe
approved these changes
May 8, 2025
Member
|
/azp run |
|
Azure Pipelines successfully started running 3 pipeline(s). |
wtgodbe
removed
the
pending-ci-rerun
|
This seems like a significant behavior change, especially for a patch release, and I was very surprised to see that this was not at least called out in the 9.0.6 release notes. We had to revert an upgrade from 9.0.5 today after this broke a production environment which has Kestrel fronted by AWS ALB. |
|
This also impacted my production environment! In my case its an Azure WebApp, using EasyAuth, hosting a custom image. I use the Short of going back to 9.0.5, what changes do I need to make to restore previous functionality? |
Member
|
What are your setups? This should only affect you if you didn't use |
|
There's loopback set as default for /// <summary>
/// Addresses of known proxies to accept forwarded headers from.
/// </summary>
public IList<IPAddress> KnownProxies { get; } = new List<IPAddress>() { IPAddress.IPv6Loopback };
/// <summary>
/// Address ranges of known proxies to accept forwarded headers from.
/// </summary>
public IList<IPNetwork> KnownNetworks { get; } = new List<IPNetwork>() { new IPNetwork(IPAddress.Loopback, 8) };So this unfortunately is a breaking change for us, as we do not use app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedProto
}); |
Contributor
|
@doeringp in your setup, what is the actual IP of the proxy forwarding the request? |
|
@yannic-hamann-abb I'm not sure yet, but I know it's not localhost since the application is running in Kubernetes behind an Nginx Ingress Controller. |
Contributor
|
In your setup you have to explicitly add the proxy IP or proxy network to the var options = new ForwardedHeadersOptions { ForwardedHeaders.XForwardedProto };
options.KnownNetworks.Add(...); |
|
For us it was enough to override the defaults of app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedProto,
KnownNetworks = {},
KnownProxies = {},
});With this Still a breaking change. Thankfully we discovered it in a testing environment. |
Contributor
|
@mayerraphael with that config you are bypassing the known proxy checks entirely. |
|
@yannic-hamann-abb I agree that this change makes sense from a security standpoint. However, it's also a breaking change in behavior that could impact customers like us who haven't used the X-Forwarded-For header and haven't configured |
|
I have an OData API that uses server paging and a SPA client which depends upon the I saw this change and assumed the nightly build of the container, which uses v9 of the SDK, had used v9.0.301 and that had changed the response. (I hadn’t changed the versions of the packages consumed by my API - all I checked my configuration and I already was using I use EasyAuth and though maybe it was that proxy that was affecting the response, so I turned that off (in a test environment) and that still didn’t fix it. I think there is still another proxy in front of my Azure Web App and its that which has a dependency upon this library, because with...
It still doesn’t work. But if I add |
|
@BrennanConroy Our setup is |
Contributor
If you had set the option in 9.0.5 to This change ensures consistent handling of forwarded headers how it is described in the docs. |
|
Yes @yannic-hamann-abb, I don't think anyone is arguing that your original PR was a bad idea - what's unfortunate is that this backport PR was a breaking change made in a patch release with no warnings in the release notes. |
This was referenced Nov 24, 2025
Open
This was referenced Dec 2, 2025
hwinther
pushed a commit
to hwinther/test
that referenced
this pull request
Dec 4, 2025
Updated [Microsoft.AspNetCore.Mvc.Testing](https://github.com/dotnet/aspnetcore) from 9.0.3 to 9.0.11. <details> <summary>Release notes</summary> _Sourced from [Microsoft.AspNetCore.Mvc.Testing's releases](https://github.com/dotnet/aspnetcore/releases)._ ## 9.0.11 [Release](https://github.com/dotnet/core/releases/tag/v9.0.11) ## What's Changed * Update branding to 9.0.11 by @vseanreesermsft in dotnet/aspnetcore#63950 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro[bot] in dotnet/aspnetcore#63677 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro[bot] in dotnet/aspnetcore#63678 * [release/9.0] (deps): Bump src/submodules/googletest from `eb2d85e` to `9706f75` by @dependabot[bot] in dotnet/aspnetcore#63894 * [release/9.0] Fixed devtools url used for debug with chrome and edge by @github-actions[bot] in dotnet/aspnetcore#61948 * [release/9.0] (http2): Lower WINDOWS_UPDATE received on (half)closed stream to stream abortion by @DeagleGross in dotnet/aspnetcore#63934 * [release/9.0] Re-quarantine ServerRoutingTest.NavigationLock_OverlappingNavigationsCancelExistingNavigations_HistoryNavigation by @github-actions[bot] in dotnet/aspnetcore#63956 * [release/9.0] Fix nginx install on mac, linux by @wtgodbe in dotnet/aspnetcore#63966 * [Hot Reload] Do not attempt to apply empty deltas. by @tmat in dotnet/aspnetcore#63979 * Merging internal commits for release/9.0 by @vseanreesermsft in dotnet/aspnetcore#64036 * Revert log level severity for unknown proxy in ForwardedHeadersMiddleware by @BrennanConroy in dotnet/aspnetcore#64091 * Set timeoutInMinutes to 0 for Windows build job by @vseanreesermsft in dotnet/aspnetcore#64126 **Full Changelog**: dotnet/aspnetcore@v9.0.10...v9.0.11 ## 9.0.10 [Release](https://github.com/dotnet/core/releases/tag/v9.0.10) ## What's Changed * Update branding to 9.0.10 by @vseanreesermsft in dotnet/aspnetcore#63510 * [9.0] Make duplicate deb/rpm packages so we can sign them with the new PMC key by @jkoritzinsky in dotnet/aspnetcore#63249 * [release/9.0] Extend Unofficial 1ES template in IdentityModel nightly tests job by @github-actions[bot] in dotnet/aspnetcore#63465 * [release/9.0] (deps): Bump src/submodules/googletest from `373af2e` to `eb2d85e` by @dependabot[bot] in dotnet/aspnetcore#63501 * [release/9.0] Quarantine ResponseBody_WriteContentLength_PassedThrough by @wtgodbe in dotnet/aspnetcore#63533 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro[bot] in dotnet/aspnetcore#63304 * [release/9.0] [OpenAPI] Use invariant culture for TextWriter by @martincostello in dotnet/aspnetcore#62239 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro[bot] in dotnet/aspnetcore#63303 * Unquarantine `RadioButtonGetsResetAfterSubmittingEnhancedForm` by @ilonatommy in dotnet/aspnetcore#63556 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro[bot] in dotnet/aspnetcore#63577 * Merging internal commits for release/9.0 by @vseanreesermsft in dotnet/aspnetcore#63604 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro[bot] in dotnet/aspnetcore#63648 * backport(9.0): Fix runtime architecture detection logic in ANCM. by @DeagleGross in dotnet/aspnetcore#63707 **Full Changelog**: dotnet/aspnetcore@v9.0.9...v9.0.10 ## 9.0.9 [Release](https://github.com/dotnet/core/releases/tag/v9.0.9) ## What's Changed * Update branding to 9.0.9 by @vseanreesermsft in dotnet/aspnetcore#63107 * [release/9.0] (deps): Bump src/submodules/googletest from `c67de11` to `373af2e` by @dependabot[bot] in dotnet/aspnetcore#63035 * [release/9.0] Dispose the certificate chain elements with the chain by @github-actions[bot] in dotnet/aspnetcore#62992 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro[bot] in dotnet/aspnetcore#62702 * [release/9.0] Update Microsoft.Build versions by @wtgodbe in dotnet/aspnetcore#62505 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro[bot] in dotnet/aspnetcore#62832 * [release/9.0] Update SignalR Redis tests to use internal Docker Hub mirror by @github-actions[bot] in dotnet/aspnetcore#63116 * [release/9.0] [SignalR] Don't throw for message headers in Java client by @github-actions[bot] in dotnet/aspnetcore#62783 * Merging internal commits for release/9.0 by @vseanreesermsft in dotnet/aspnetcore#63151 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro[bot] in dotnet/aspnetcore#63190 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro[bot] in dotnet/aspnetcore#63214 **Full Changelog**: dotnet/aspnetcore@v9.0.8...v9.0.9 ## 9.0.7 [Release](https://github.com/dotnet/core/releases/tag/v9.0.7) ## What's Changed * Update branding to 9.0.7 by @vseanreesermsft in dotnet/aspnetcore#62242 * [release/9.0] (deps): Bump src/submodules/googletest from `04ee1b4` to `e9092b1` by @dependabot in dotnet/aspnetcore#62199 * Fix OpenApiJsonSchema array parsing (#62051) by @BrennanConroy in dotnet/aspnetcore#62118 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#61986 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#61945 * [release/9.0] Update Alpine helix references by @wtgodbe in dotnet/aspnetcore#62240 * [Backport 9.0] [IIS] Manually parse exe bitness (#61894) by @BrennanConroy in dotnet/aspnetcore#62038 * [release/9.0] Associate tagged keys with entries so replacements are not evicted by @github-actions in dotnet/aspnetcore#62248 * [release/9.0] Block test that is failing after switching to latest-chrome by @github-actions in dotnet/aspnetcore#62283 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#62281 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#62282 * Merging internal commits for release/9.0 by @vseanreesermsft in dotnet/aspnetcore#62303 **Full Changelog**: dotnet/aspnetcore@v9.0.6...v9.0.7 ## 9.0.6 ## Bug Fixes - **Forwarded Headers Middleware: Ignore X-Forwarded-Headers from Unknown Proxy** ([#61622](dotnet/aspnetcore#61622)) The Forwarded Headers Middleware now ignores `X-Forwarded-Headers` sent from unknown proxies. This change improves security by ensuring that only trusted proxies can influence forwarded header values, preventing potential spoofing or misrouting issues. ## Dependency Updates - **Bump src/submodules/googletest from `52204f7` to `04ee1b4`** ([#61762](dotnet/aspnetcore#61762)) Updates the GoogleTest submodule to a newer commit, bringing in the latest improvements and bug fixes from the upstream project. - **Update dependencies from dotnet/arcade** ([#61714](dotnet/aspnetcore#61714)) Updates internal build and infrastructure dependencies from the dotnet/arcade repository, ensuring compatibility and access to the latest build tools. - **Update dependencies from dotnet/extensions** ([#61571](dotnet/aspnetcore#61571)) Refreshes dependencies from the dotnet/extensions repository, incorporating the latest features and fixes from the extensions libraries. - **Update dependencies from dotnet/extensions** ([#61877](dotnet/aspnetcore#61877)) Further updates dependencies from dotnet/extensions, ensuring the project benefits from recent improvements and bug fixes. - **Update dependencies from dotnet/arcade** ([#61892](dotnet/aspnetcore#61892)) Additional updates to build and infrastructure dependencies from dotnet/arcade, maintaining up-to-date tooling and build processes. ## Miscellaneous - **Update branding to 9.0.6** ([#61831](dotnet/aspnetcore#61831)) Updates the project version and branding to 9.0.6, reflecting the new release and ensuring version consistency across the codebase. - **Merging internal commits for release/9.0** ([#61925](dotnet/aspnetcore#61925)) Incorporates various internal commits into the release/9.0 branch, ensuring that all relevant changes are included in this release. --- This summary is generated and may contain inaccuracies. For complete details, please review the linked pull requests. Full Changelog: [v9.0.5...v9.0.6](dotnet/aspnetcore@v9.0.5...v9.0.6) ## 9.0.5 [Release](https://github.com/dotnet/core/releases/tag/v9.0.5) ## What's Changed * Update branding to 9.0.5 by @vseanreesermsft in dotnet/aspnetcore#61284 * [release/9.0] (deps): Bump src/submodules/googletest from `24a9e94` to `52204f7` by @dependabot in dotnet/aspnetcore#61261 * [release/9.0] Upgrade to Ubuntu 22 by @github-actions in dotnet/aspnetcore#61215 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#60964 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#60902 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#61355 * [release/9.0] Caching SERedis critical bugfix; defer HC metadata detection because of DI cycle by @github-actions in dotnet/aspnetcore#60916 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#61354 * Merging internal commits for release/9.0 by @vseanreesermsft in dotnet/aspnetcore#61393 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#61412 * Revert "Revert "[release/9.0] Update remnants of azureedge.net"" by @wtgodbe in dotnet/aspnetcore#60353 * [release/9.0] Fix preserving messages for stateful reconnect with backplane by @github-actions in dotnet/aspnetcore#61374 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#61483 * [Identity] Fix Identity UI asset definitions by @javiercn in dotnet/aspnetcore#59100 **Full Changelog**: dotnet/aspnetcore@v9.0.4...v9.0.5 ## 9.0.4 [Release](https://github.com/dotnet/core/releases/tag/v9.0.4) ## What's Changed * Update branding to 9.0.4 by @vseanreesermsft in dotnet/aspnetcore#60785 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#60445 * [release/9.0] (deps): Bump src/submodules/googletest from `e235eb3` to `24a9e94` by @dependabot in dotnet/aspnetcore#60678 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#60356 * Fix OpenAPI server URLs for Aspire scenarios by @captainsafia in dotnet/aspnetcore#60673 * Fix self-referential schema handling in collection schemas by @captainsafia in dotnet/aspnetcore#60410 * [release/9.0] [Blazor] Fix custom elements JS assets not being included in build output by @MackinnonBuck in dotnet/aspnetcore#60858 * Merging internal commits for release/9.0 by @vseanreesermsft in dotnet/aspnetcore#60880 **Full Changelog**: dotnet/aspnetcore@v9.0.3...v9.0.4 Commits viewable in [compare view](dotnet/aspnetcore@v9.0.3...v9.0.11). </details> Updated [Microsoft.NET.Test.Sdk](https://github.com/microsoft/vstest) from 17.13.0 to 18.0.1. <details> <summary>Release notes</summary> _Sourced from [Microsoft.NET.Test.Sdk's releases](https://github.com/microsoft/vstest/releases)._ ## 18.0.1 ## What's Changed Fixing an issue with loading covrun64.dll on systems that have .NET 10 SDK installed: https://learn.microsoft.com/en-us/dotnet/core/compatibility/sdk/10.0/code-coverage-dynamic-native-instrumentation * Disable DynamicNative instrumentation by default by @nohwnd in microsoft/vstest#15298 * Update MicrosoftInternalCodeCoveragePackageVersion to 18.0.6 by @nohwnd in microsoft/vstest#15312 ### Internal changes * Update VersionPrefix to 18.0.1 by @nohwnd in microsoft/vstest#15301 * Update build tools to 17.8.43 by @nohwnd in microsoft/vstest#15305 **Full Changelog**: microsoft/vstest@v18.0.0...v18.0.1 ## 18.0.0 ## What's Changed * Update reporting formatting by @martincostello in microsoft/vstest#15082 * Fix stack trace for Trace.Fail and Debug.Fail by @nohwnd in microsoft/vstest#15103 * Add documentation of environment variables by @Copilot in microsoft/vstest#15095 * IFrameworkHandle.LaunchProcessWithDebuggerAttached allows null for workingDirectory in signature but throws by @Copilot in microsoft/vstest#15091 * Add Dependabot configuration for .NET SDK updates by @JamieMagee in microsoft/vstest#15114 * Handle dotnet_root in testhost version aware way by @nohwnd in microsoft/vstest#15184 * Add magic bytes validation for Mach-O binaries in DotnetHostHelper by @Copilot in microsoft/vstest#15230 * using globbing pattern doesn't work on windows with forward slashes by @Copilot in microsoft/vstest#15088 * Remove tpv0 by @nohwnd in microsoft/vstest#15247 * Cache AssemblyName in ManagedNameHelper by @Youssef1313 in microsoft/vstest#15259 * Add ARM64 support to GetArchitectureForSource methods by @Copilot in microsoft/vstest#15278 ### Internal fixes and updates * Fix formatting in two files by @ViktorHofer in microsoft/vstest#15047 * Build TestPlatform packages in VMR by @ViktorHofer in microsoft/vstest#15055 * Condition property on .NET FX MSBuild by @jaredpar in microsoft/vstest#15054 * Migrate to awesome assertions by @nohwnd in microsoft/vstest#15056 * Revert "Build TestPlatform packages in VMR" by @ViktorHofer in microsoft/vstest#15057 * Update package Category by @ViktorHofer in microsoft/vstest#15058 * Revert "Write props of tests into trx" by @nohwnd in microsoft/vstest#15080 * Error on unsupported tfms (#15072) by @nohwnd in microsoft/vstest#15073 * Use policies from testfx to align by @nohwnd in microsoft/vstest#15085 * Update enable-auto-merge.yml by @nohwnd in microsoft/vstest#15102 * Revert ignoring environment test by @Copilot in microsoft/vstest#15094 * unignore tests by @Copilot in microsoft/vstest#15093 * Update MSTest by @Youssef1313 in microsoft/vstest#15108 * Bump dotnet-sdk from 9.0.106 to 9.0.301 by @dependabot[bot] in microsoft/vstest#15179 * Use Assert.Equals by @nohwnd in microsoft/vstest#15181 * Run VSTest tests with MTP by @Youssef1313 in microsoft/vstest#15079 * Use the standard sdk for architecture switch test by @nohwnd in microsoft/vstest#15188 * Remove CUIT (Coded UI Test) from NuGet packages and test projects by @Copilot in microsoft/vstest#15177 * dump-logs? by @nohwnd in microsoft/vstest#15187 * Moving to version 18 by @nohwnd in microsoft/vstest#15209 * Update fakes version by @drognanar in microsoft/vstest#15227 * Microsoft.Intellitrace.Core should be taken from nuget by @nohwnd in microsoft/vstest#15229 * Remove MSTest.Assert.Extensions by @Youssef1313 in microsoft/vstest#15178 * Sourcebuild fix by @nohwnd in microsoft/vstest#15239 * Set dotnet_root_<arch> only when the architecture of dotnet in the path is the same by @nohwnd in microsoft/vstest#15250 * Remove fakes v1 from FakesUtilities by @drognanar in microsoft/vstest#15251 * Update fakes dependencies by @drognanar in microsoft/vstest#15254 * Do half the work in GetManagedName by @Youssef1313 in microsoft/vstest#15255 * check Vsix only when produced by @nohwnd in microsoft/vstest#15261 * Set dotnet_root_<arch> always by @nohwnd in microsoft/vstest#15266 * Don't hardcode old vswhere version in global.json by @akoeplinger in microsoft/vstest#15267 * Revert dowgrade of fakes by @nohwnd in microsoft/vstest#15263 * Update VSSDK to version with code flow guard by @nohwnd in microsoft/vstest#15279 * Update Fakes to version with code flow guard by @nohwnd in microsoft/vstest#15273 ... (truncated) ## 17.14.1 ## What's Changed * Error on unsupported target frameworks to prevent silently not running tests by @nohwnd in microsoft/vstest#15072 and microsoft/vstest#15078 * Revert writing additional properties to TRX by @nohwnd in microsoft/vstest@47eb51b **Full Changelog**: microsoft/vstest@v17.14.0...v17.14.1 ## 17.14.0 ## What's Changed ### .NET versions updated This version of VS Test upgraded .NET to net8 and net9. All projects targeting net6.0 (or other end-of-life .NET target frameworks) should pin their version of Microsoft.NET.Test.SDK to 17.13.0, or update the projects to net8 or newer. We remain backwards compatible with previous versions of Microsoft.NET.Test.SDK. This change does **NOT** prevent you from: - Updating to the latest VS, and running tests from net6.0 test projects. - Updating to the latest .NET SDK, and running tests from net6.0 test projects. It also has no impact on .NET Framework projects, where we continue targeting .NET Framework 4.6.2. * Drop unsupported frameworks by @nohwnd in microsoft/vstest#10565 ### Changes * Adding Process Query Flag For UWP .NET 9 Support by @adstep in microsoft/vstest#15003 * Fix builds on WinUI and UWP .NET 9 projects by @Sergio0694 in microsoft/vstest#15004 * don't report communication error on discovery abort by @nohwnd in microsoft/vstest#14992 * Add dump minitool to vsix by @nohwnd in microsoft/vstest#14707 * Make test runners long-path aware (#5179) by @peetw in microsoft/vstest#15014 * Fix trace in DataCollectionRequestSender.cs by @stan-sz in microsoft/vstest#15025 * Fix/readme grammar parallelism by @dellch in microsoft/vstest#15030 * Add binding redirects by @nohwnd in microsoft/vstest#15041 * Write props of tests into trx by @nohwnd in microsoft/vstest#14905 ### Internal version updates and fixes * Update io.redist by @nohwnd in microsoft/vstest#13872 * Use preview image for public build by @nohwnd in microsoft/vstest#13888 * Remove xcopy-msbuild by @nohwnd in microsoft/vstest#14138 * Move to macos14 by @nohwnd in microsoft/vstest#14137 * Update diagnose.md by @nohwnd in microsoft/vstest#14776 * hash with sha2 for mutex lock by @nohwnd in microsoft/vstest#14777 * Update test projects for vmr by @nohwnd in microsoft/vstest#14894 * 17.14 branding by @nohwnd in microsoft/vstest#14903 * Update filter.md for NUnit by @OsirisTerje in microsoft/vstest#14987 * Flag netstandard1.x dependencies in source-build by @ViktorHofer in microsoft/vstest#14986 * Use VS dependencies versions from release VS to have archived symbols by @nohwnd in microsoft/vstest#14991 * Remove extra ; by @nohwnd in microsoft/vstest#14995 * Use dependencymodel 6.0.2 by @nohwnd in microsoft/vstest#14996 * Make Testhost packable only on Windows by @mmitche in microsoft/vstest#15001 * Add system text json to vsix by @nohwnd in microsoft/vstest#15034 * Add more files to vsix by @nohwnd in microsoft/vstest#15038 * Remove unnecessary CA2022 suppressions by @Winniexu01 in microsoft/vstest#15035 * Update package project url by @mmitche in microsoft/vstest#15040 ## New Contributors * @OsirisTerje made their first contribution in microsoft/vstest#14987 * @adstep made their first contribution in microsoft/vstest#15003 ... (truncated) ## 17.14.0-preview-25107-01 ## What's Changed ### .NET versions updated This version of VS Test upgraded .NET to net8 and net9. All projects targeting net6.0 (or other end-of-life .NET target frameworks) should pin their version of Microsoft.NET.Test.SDK to 17.13.0, or update the projects to net8 or newer. We remain backwards compatible with previous versions of Microsoft.NET.Test.SDK. This change does **NOT** prevent you from: - Updating to the latest VS, and running tests from net6.0 test projects. - Updating to the latest .NET SDK, and running tests from net6.0 test projects. It also has no impact on .NET Framework projects, where we continue targeting .NET Framework 4.6.2. * Drop unsupported frameworks by @nohwnd in microsoft/vstest#10565 ### Changes * Adding Process Query Flag For UWP .NET 9 Support by @adstep in microsoft/vstest#15003 * Fix builds on WinUI and UWP .NET 9 projects by @Sergio0694 in microsoft/vstest#15004 * don't report communication error on discovery abort by @nohwnd in microsoft/vstest#14992 * Add dump minitool to vsix by @nohwnd in microsoft/vstest#14707 ### Internal version updates and fixes * Update io.redist by @nohwnd in microsoft/vstest#13872 * Use preview image for public build by @nohwnd in microsoft/vstest#13888 * Remove xcopy-msbuild by @nohwnd in microsoft/vstest#14138 * Move to macos14 by @nohwnd in microsoft/vstest#14137 * Update diagnose.md by @nohwnd in microsoft/vstest#14776 * hash with sha2 for mutex lock by @nohwnd in microsoft/vstest#14777 * Update test projects for vmr by @nohwnd in microsoft/vstest#14894 * 17.14 branding by @nohwnd in microsoft/vstest#14903 * Update filter.md for NUnit by @OsirisTerje in microsoft/vstest#14987 * Flag netstandard1.x dependencies in source-build by @ViktorHofer in microsoft/vstest#14986 * Use VS dependencies versions from release VS to have archived symbols by @nohwnd in microsoft/vstest#14991 * Remove extra ; by @nohwnd in microsoft/vstest#14995 * Use dependencymodel 6.0.2 by @nohwnd in microsoft/vstest#14996 * Make Testhost packable only on Windows by @mmitche in microsoft/vstest#15001 ### Will probably revert before release: * Write props of tests into trx by @nohwnd in microsoft/vstest#14905 ## New Contributors * @OsirisTerje made their first contribution in microsoft/vstest#14987 * @adstep made their first contribution in microsoft/vstest#15003 * @Sergio0694 made their first contribution in microsoft/vstest#15004 **Full Changelog**: microsoft/vstest@v17.13.0...v17.14.0-preview-25107-01 Commits viewable in [compare view](microsoft/vstest@v17.13.0...v18.0.1). </details> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #61530 to release/9.0
/cc @BrennanConroy @yannic-hamann-abb
Forwarded Headers Middleware: Ignore XForwardedHeaders from Unknown Proxy
Description
If the
ForwardedHeadersMiddlewaremiddleware is used without usingXForwardedForthen theKnownNetworksandKnownProxieschecks are skipped.Fixes #61449
Customer Impact
Expectations for
KnownNetworksandKnownProxiessettings are not always met. If you aren't careful with configuring your app (careful meaning aware of this issue), you can end up allowing traffic you didn't intend to allow.Regression?
Risk
Runs a check that was already there but runs it in more cases.
Verification
Packaging changes reviewed?