Motivation

The UTF-7 transcoding logic in the framework is problematic. UTF-7 itself has been deprecated for quite some time, and MSDN even warns against using the UTF7Encoding type due to the possibility of introducing security and reliability problems.

ASP.NET Full Framework 4.5+ and ASP.NET Core (all versions) forbid processing UTF-7 encoded requests by default due to the problems that UTF-7 has historically caused.

Ideally we'd be able to change application code not to consider UTF-7 as a default candidate for text processing, but that's not always practical. There are scenarios where library code passes untrusted charset values as inputs to the Encoding.GetEncoding API, and they're not necessarily hardened against these APIs returning UTF7Encoding or some other undesirable instance. A proposal which properly deprecates UTF-7 framework-wide also needs to take this into account.

Proposed API and behavioral changes

namespace System.Text
{
    public class Encoding
    {
        [Obsolete(...)] // ** NEW attribute ** on existing property
        public static Encoding UTF7 { get; }
    }

    public class UTF7Encoding
    {
        [Obsolete(...)] // ** NEW attribute ** on existing ctor
        public UTF7Encoding();

        [Obsolete(...)] // ** NEW attribute ** on existing ctor
        public UTF7Encoding(bool);
    }
}

• Add [Obsolete] (as warning) to the System.Text.UTF7Encoding ctors; this allows things like typeof(UTF7Encoding) to continue to work
• Add [Obsolete] (as warning) to the static property System.Text.Encoding.UTF7
• Disallow System.Text.Encoding.GetEncoding("utf-7") from returning a UTF7Encoding instance by default

If an application needs Encoding.GetEncoding("utf-7") to return a UTF7Encoding instance, this can be done by using AppContext at app start, re-introducing UTF-7 knowledge into the system, as shown below.

AppContext.SetSwitch("System.Text.Encoding.EnableUnsafeUTF7Encoding", true);