diff options
| author | Andrew Arnott <andrewarnott@gmail.com> | 2009-01-07 16:41:45 -0800 |
|---|---|---|
| committer | Andrew <andrewarnott@gmail.com> | 2009-01-07 16:41:45 -0800 |
| commit | d926302afa129bf69b81cb2ef7bd71044a7347fb (patch) | |
| tree | 88215b357a21e41077b82a903d2f18f1fb168095 | |
| parent | 917d62d68e86693175402f853dd5dcbcd52d0b46 (diff) | |
| download | DotNetOpenAuth-d926302afa129bf69b81cb2ef7bd71044a7347fb.zip DotNetOpenAuth-d926302afa129bf69b81cb2ef7bd71044a7347fb.tar.gz DotNetOpenAuth-d926302afa129bf69b81cb2ef7bd71044a7347fb.tar.bz2 | |
Added base64 recovery function to accomodate faulty OpenID Providers.
Port of DNOI f8410174dfd65e303560f87fbdc1e0b65f78b7f3
| -rw-r--r-- | src/DotNetOpenAuth/OpenId/ChannelElements/ReturnToSignatureBindingElement.cs | 1 | ||||
| -rw-r--r-- | src/DotNetOpenAuth/OpenId/OpenIdUtilities.cs | 30 |
2 files changed, 31 insertions, 0 deletions
diff --git a/src/DotNetOpenAuth/OpenId/ChannelElements/ReturnToSignatureBindingElement.cs b/src/DotNetOpenAuth/OpenId/ChannelElements/ReturnToSignatureBindingElement.cs index 75941b3..62875f9 100644 --- a/src/DotNetOpenAuth/OpenId/ChannelElements/ReturnToSignatureBindingElement.cs +++ b/src/DotNetOpenAuth/OpenId/ChannelElements/ReturnToSignatureBindingElement.cs @@ -133,6 +133,7 @@ namespace DotNetOpenAuth.OpenId.ChannelElements { // Set the safety flag showing whether the return_to url had a valid signature.
string expected = this.GetReturnToSignature(response.ReturnTo);
string actual = returnToParameters[ReturnToSignatureParameterName];
+ actual = OpenIdUtilities.FixDoublyUriDecodedBase64String(actual);
response.ReturnToParametersSignatureValidated = actual == expected;
if (!response.ReturnToParametersSignatureValidated) {
Logger.WarnFormat("The return_to signature failed verification.");
diff --git a/src/DotNetOpenAuth/OpenId/OpenIdUtilities.cs b/src/DotNetOpenAuth/OpenId/OpenIdUtilities.cs index 0a2d36a..2177e6f 100644 --- a/src/DotNetOpenAuth/OpenId/OpenIdUtilities.cs +++ b/src/DotNetOpenAuth/OpenId/OpenIdUtilities.cs @@ -56,5 +56,35 @@ namespace DotNetOpenAuth.OpenId { Logger.Info("Generated and saved private secret. This should generally happen only at web application initialization time.");
}
}
+
+ /// <summary>
+ /// Corrects any URI decoding the Provider may have inappropriately done
+ /// to our return_to URL, resulting in an otherwise corrupted base64 token.
+ /// </summary>
+ /// <param name="token">The token, which MAY have been corrupted by an extra URI decode.</param>
+ /// <returns>The token; corrected if corruption had occurred.</returns>
+ /// <remarks>
+ /// AOL may have incorrectly URI-decoded the token for us in the return_to,
+ /// resulting in a token URI-decoded twice by the time we see it, and no
+ /// longer being a valid base64 string.
+ /// It turns out that the only symbols from base64 that is also encoded
+ /// in URI encoding rules are the + and / characters.
+ /// AOL decodes the %2b sequence to the + character
+ /// and the %2f sequence to the / character (it shouldn't decode at all).
+ /// When we do our own URI decoding, the + character becomes a space (corrupting base64)
+ /// but the / character remains a /, so no further corruption happens to this character.
+ /// So to correct this we just need to change any spaces we find in the token
+ /// back to + characters.
+ /// </remarks>
+ internal static string FixDoublyUriDecodedBase64String(string value) {
+ ErrorUtilities.VerifyArgumentNotNull(value, "value");
+
+ if (value.Contains(" ")) {
+ Logger.Error("Deserializing a corrupted token. The OpenID Provider may have inappropriately decoded the return_to URL before sending it back to us.");
+ value = value.Replace(' ', '+'); // Undo any extra decoding the Provider did
+ }
+
+ return value;
+ }
}
}
|