Split commands in FtpWebRequest

Author: liveans

src/libraries/System.Net.Requests/src/Resources/Strings.resx

@@ -195,6 +195,9 @@
   <data name="net_ftp_receivefailure" xml:space="preserve">
     <value>The underlying connection was closed: An unexpected error occurred on a receive</value>
   </data>
+  <data name="net_ftp_no_newlines" xml:space="preserve">
+    <value>CRLF character pair is not allowed in FtpWebRequest inputs.</value>
+  </data>
   <data name="net_webstatus_NameResolutionFailure" xml:space="preserve">
     <value>The remote name could not be resolved</value>
   </data>

src/libraries/System.Net.Requests/src/System/Net/FtpControlStream.cs

@@ -1118,6 +1118,11 @@ private string GetPortCommandLine()
         /// </summary>
         private static string FormatFtpCommand(string command, string? parameter)
         {
+            if (parameter is not null && parameter.Contains("\r\n", StringComparison.Ordinal))
+            {
+                throw new FormatException(SR.net_ftp_no_newlines);
+            }
+
             return string.IsNullOrEmpty(parameter) ?
                 command + "\r\n" :
                 command + " " + parameter + "\r\n";

src/libraries/System.Net.Requests/src/System/Net/FtpWebRequest.cs

@@ -486,6 +486,9 @@ internal FtpWebRequest(Uri uri)
             if ((object)uri.Scheme != (object)Uri.UriSchemeFtp)
                 throw new ArgumentOutOfRangeException(nameof(uri));
 
+            if (uri.OriginalString.Contains("\r\n", StringComparison.Ordinal))
+                throw new FormatException(SR.net_ftp_no_newlines);
+
             _timerCallback = new TimerThread.Callback(TimerCallback);
             _syncObject = new object();
 

src/libraries/System.Net.Requests/tests/FtpWebRequestTest.cs

@@ -203,6 +203,27 @@ public void Ftp_RenameFileSubDir_Success(FtpExecutionMode mode)
             Assert.False(DirExists(mode, dir));
         }
 
+        [Fact]
+        public void Ftp_Ignore_NewLine_Constructor_Throws_FormatException()
+        {
+            string uri = absoluteUri + Guid.NewGuid().ToString();
+
+            Assert.Throws<FormatException>(() => WebRequest.Create($"{uri}\r\n{WebRequestMethods.Ftp.AppendFile} {Guid.NewGuid().ToString()}"));
+        }
+
+        [ConditionalFact(nameof(LocalServerAvailable))]
+        public void Ftp_Ignore_NewLine_GetRequestStream_And_GetResponse_Throws_FormatException_As_InnerException()
+        {
+            FtpWebRequest ftpWebRequest = (FtpWebRequest)WebRequest.Create(absoluteUri + Guid.NewGuid().ToString());
+            ftpWebRequest.Method = "APPE";
+            ftpWebRequest.Credentials = new NetworkCredential("test\r\ntest2", "test\r\ntest2");
+            var requestException = Assert.Throws<WebException>(() => ftpWebRequest.GetRequestStream());
+            Assert.True(requestException.InnerException is FormatException);
+
+            var responseException = Assert.Throws<WebException>(() => ftpWebRequest.GetResponse());
+            Assert.True(responseException.InnerException is FormatException);
+        }
+
         private static async Task<MemoryStream> DoAsync(FtpWebRequest request, MemoryStream requestBody)
         {
             if (requestBody != null)