diff options
| author | Andrew Arnott <andrewarnott@gmail.com> | 2008-10-04 21:54:38 -0700 |
|---|---|---|
| committer | Andrew <andrewarnott@gmail.com> | 2008-10-04 21:54:38 -0700 |
| commit | fb668f0e8800e6f507383a4c98e71761280b8898 (patch) | |
| tree | b642595e2e0237834171faf67b0dbb2b03384c32 | |
| parent | 9ffccf622b5c669027c8cbb9ee2f8735ea25d636 (diff) | |
| download | DotNetOpenAuth-fb668f0e8800e6f507383a4c98e71761280b8898.zip DotNetOpenAuth-fb668f0e8800e6f507383a4c98e71761280b8898.tar.gz DotNetOpenAuth-fb668f0e8800e6f507383a4c98e71761280b8898.tar.bz2 | |
Added more intelligent URI query stripping to protect against repeat attempts from ASPX pages.
| -rw-r--r-- | src/DotNetOAuth/Consumer.cs | 3 | ||||
| -rw-r--r-- | src/DotNetOAuth/Messaging/MessagingUtilities.cs | 21 |
2 files changed, 23 insertions, 1 deletions
diff --git a/src/DotNetOAuth/Consumer.cs b/src/DotNetOAuth/Consumer.cs index 667c1f9..151b412 100644 --- a/src/DotNetOAuth/Consumer.cs +++ b/src/DotNetOAuth/Consumer.cs @@ -87,7 +87,8 @@ namespace DotNetOAuth { /// Requires HttpContext.Current.
/// </remarks>
public Response RequestUserAuthorization() {
- return this.RequestUserAuthorization(MessagingUtilities.GetRequestUrlFromContext(), null, null);
+ Uri callback = MessagingUtilities.GetRequestUrlFromContext().StripQueryArgumentsWithPrefix(Protocol.Default.ParameterPrefix);
+ return this.RequestUserAuthorization(callback, null, null);
}
/// <summary>
diff --git a/src/DotNetOAuth/Messaging/MessagingUtilities.cs b/src/DotNetOAuth/Messaging/MessagingUtilities.cs index 995fe66..8388051 100644 --- a/src/DotNetOAuth/Messaging/MessagingUtilities.cs +++ b/src/DotNetOAuth/Messaging/MessagingUtilities.cs @@ -154,6 +154,27 @@ namespace DotNetOAuth.Messaging { }
/// <summary>
+ /// Strips any and all URI query parameters that start with some prefix.
+ /// </summary>
+ /// <param name="uri">The URI that may have a query with parameters to remove.</param>
+ /// <param name="prefix">The prefix for parameters to remove.</param>
+ /// <returns>Either a new Uri with the parameters removed if there were any to remove, or the same Uri instance if no parameters needed to be removed.</returns>
+ internal static Uri StripQueryArgumentsWithPrefix(this Uri uri, string prefix) {
+ NameValueCollection queryArgs = HttpUtility.ParseQueryString(uri.Query);
+ var matchingKeys = queryArgs.Keys.OfType<string>().Where(key => key.StartsWith(prefix, StringComparison.OrdinalIgnoreCase)).ToList();
+ if (matchingKeys.Count > 0) {
+ UriBuilder builder = new UriBuilder(uri);
+ foreach (string key in matchingKeys) {
+ queryArgs.Remove(key);
+ }
+ builder.Query = CreateQueryString(queryArgs.ToDictionary());
+ return builder.Uri;
+ } else {
+ return uri;
+ }
+ }
+
+ /// <summary>
/// Extracts the recipient from an HttpRequestInfo.
/// </summary>
/// <param name="request">The request to get recipient information from.</param>
|