I shipped WebDAVClient 2.6.0 to NuGet today – sixteen PRs that had been queueing on the version-2.6 branch all landed together. Here’s the rundown.
Security
- Hardened
ResponseParser‘sXmlReaderSettingsagainst XXE (explicitDtdProcessing = Prohibit+XmlResolver = null). - Wired the previously-dead
ServerCertificateValidationCallbackinto theHttpClientHandlerso it actually runs. - Added host validation in
BuildServerUrlto prevent SSRF via absolute URIs returned by the server. - Validate
CustomHeaderskeys/values for CR/LF to prevent HTTP header injection.
Performance
List()no longer callsGetServerUrlper item.- Cache MOVE/COPY request body bytes in static fields.
ResponseParserno longer allocates a lowercased string per node.- Avoid redundant header dictionary lookup in
HttpRequest/HttpUploadRequest. - Avoid copying
CustomHeadersinto a temporary dictionary on every call. - Use
OrdinalIgnoreCasefor parent-folder URL comparison inList().
Bug fixes
- Fixed shared
HttpClientHandlerbeing disposed twice whenuploadTimeoutis set.
Tests & tooling
- Added a real
WebDAVClient.UnitTestsproject (MSTest, multi-targeted) with a stub-handler harness for network-free testing. - New GitHub Actions workflow auto-publishes the NuGet package when
masteris bumped. - Added .NET 10 support and dropped .NET 9.
Documentation
- README refresh: typos, changelog catch-up, and a usage example that actually shows
using,Port,CustomHeaders,CancellationToken, andCopyFile/CopyFolder. - Filled in missing XML docs across
IClient(parameters,cancellationToken, exceptions, validdepthvalues),Itemmodel, both exception types, and theIHttpClientWrapper/HttpClientWrapperpair.
NuGet: WebDAVClient 2.6.0 · Source: github.com/saguiitay/WebDAVClient
Should be a drop-in upgrade from 2.5.x. The one thing worth double-checking: ServerCertificateValidationCallback actually runs now, so if you had it set “just in case”, make sure it returns true for the certs you actually expect.