diff options
| author | Andrew Arnott <andrewarnott@gmail.com> | 2010-06-05 14:38:11 -0700 |
|---|---|---|
| committer | Andrew Arnott <andrewarnott@gmail.com> | 2010-06-05 14:38:11 -0700 |
| commit | 9b680f268f109abfeeb5d01ce1c808ce1cf1b505 (patch) | |
| tree | 53e07ef1b7c1a04947753f1a2673ac0522b69e24 | |
| parent | 5d22560f67cbed3999cbf732bb76d7e002c7d02e (diff) | |
| download | DotNetOpenAuth-9b680f268f109abfeeb5d01ce1c808ce1cf1b505.zip DotNetOpenAuth-9b680f268f109abfeeb5d01ce1c808ce1cf1b505.tar.gz DotNetOpenAuth-9b680f268f109abfeeb5d01ce1c808ce1cf1b505.tar.bz2 | |
Improved security on the token type by including it in the signature.
| -rw-r--r-- | src/DotNetOpenAuth/OAuthWrap/ChannelElements/DataBag.cs | 21 |
1 files changed, 8 insertions, 13 deletions
diff --git a/src/DotNetOpenAuth/OAuthWrap/ChannelElements/DataBag.cs b/src/DotNetOpenAuth/OAuthWrap/ChannelElements/DataBag.cs index 5fc3e83..c6ffc16 100644 --- a/src/DotNetOpenAuth/OAuthWrap/ChannelElements/DataBag.cs +++ b/src/DotNetOpenAuth/OAuthWrap/ChannelElements/DataBag.cs @@ -43,6 +43,11 @@ namespace DotNetOpenAuth.OAuthWrap.ChannelElements { private readonly bool compressed; + [MessagePart("t", IsRequired = true, AllowEmpty = false)] + private string BagType { + get { return this.GetType().Name; } + } + protected DataBag(bool signed = false, bool encrypted = false, bool compressed = false, TimeSpan? maximumAge = null, INonceStore decodeOnceOnly = null) : base(Protocol.Default.Version) { Contract.Requires<ArgumentException>(signed || decodeOnceOnly == null, "A signature must be applied if this data is meant to be decoded only once."); @@ -104,7 +109,7 @@ namespace DotNetOpenAuth.OAuthWrap.ChannelElements { } var fields = MessageDescriptions.GetAccessor(this); - string value = Uri.EscapeDataString(this.BagTypeName) + "&" + MessagingUtilities.CreateQueryString(fields); + string value = MessagingUtilities.CreateQueryString(fields); byte[] encoded = Encoding.UTF8.GetBytes(value); @@ -135,15 +140,9 @@ namespace DotNetOpenAuth.OAuthWrap.ChannelElements { value = Encoding.UTF8.GetString(encoded); // Deserialize into this newly created instance. + var serializer = MessageSerializer.Get(this.GetType()); var fields = MessageDescriptions.GetAccessor(this); - string[] halves = value.Split(new char[] { '&' }, 2); - ErrorUtilities.VerifyProtocol(string.Equals(halves[0], Uri.EscapeDataString(this.BagTypeName), StringComparison.Ordinal), "Unexpected type of message while decoding."); - value = halves[1]; - - var nvc = HttpUtility.ParseQueryString(value); - foreach (string key in nvc) { - fields[key] = nvc[key]; - } + serializer.Deserialize(HttpUtility.ParseQueryString(value).ToDictionary(), fields); if (signed) { // Verify that the verification code was issued by this authorization server. @@ -169,10 +168,6 @@ namespace DotNetOpenAuth.OAuthWrap.ChannelElements { } } - private string BagTypeName { - get { return this.GetType().Name; } - } - private bool IsSignatureValid() { if (this.asymmetricSigning != null) { byte[] bytesToSign = this.GetBytesToSign(); |