diff options
| author | Andrew Arnott <andrewarnott@gmail.com> | 2012-02-12 20:47:39 -0800 |
|---|---|---|
| committer | Andrew Arnott <andrewarnott@gmail.com> | 2012-02-12 20:47:39 -0800 |
| commit | d292b0269f189720610314340e9580c9ccc53bdc (patch) | |
| tree | 8adba3f1186a69a5b79779eacde5ff5d5dda4fc0 /src/DotNetOpenAuth.OAuth2/OAuth2/OAuthUtilities.cs | |
| parent | befe2ee53f3f1e60397a741765661b340a0162a8 (diff) | |
| download | DotNetOpenAuth-d292b0269f189720610314340e9580c9ccc53bdc.zip DotNetOpenAuth-d292b0269f189720610314340e9580c9ccc53bdc.tar.gz DotNetOpenAuth-d292b0269f189720610314340e9580c9ccc53bdc.tar.bz2 | |
Added valid scope token verification.
Diffstat (limited to 'src/DotNetOpenAuth.OAuth2/OAuth2/OAuthUtilities.cs')
| -rw-r--r-- | src/DotNetOpenAuth.OAuth2/OAuth2/OAuthUtilities.cs | 31 |
1 files changed, 30 insertions, 1 deletions
diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthUtilities.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthUtilities.cs index a032ed5..245779a 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthUtilities.cs +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthUtilities.cs @@ -72,7 +72,9 @@ namespace DotNetOpenAuth.OAuth2 { return new HashSet<string>(); } - return new HashSet<string>(scope.Split(scopeDelimiter, StringSplitOptions.RemoveEmptyEntries), ScopeStringComparer); + var set = new HashSet<string>(scope.Split(scopeDelimiter, StringSplitOptions.RemoveEmptyEntries), ScopeStringComparer); + VerifyValidScopeTokens(set); + return set; } /// <summary> @@ -82,10 +84,37 @@ namespace DotNetOpenAuth.OAuth2 { /// <returns>A space-delimited list.</returns> public static string JoinScopes(HashSet<string> scopes) { Requires.NotNull(scopes, "scopes"); + VerifyValidScopeTokens(scopes); return string.Join(" ", scopes.ToArray()); } /// <summary> + /// Verifies that a sequence of scope tokens are all valid. + /// </summary> + /// <param name="scopes">The scopes.</param> + internal static void VerifyValidScopeTokens(IEnumerable<string> scopes) { + Requires.NotNull(scopes, "scopes"); + foreach (string scope in scopes) { + VerifyValidScopeToken(scope); + } + } + + /// <summary> + /// Verifies that a given scope token (not a space-delimited set, but a single token) is valid. + /// </summary> + /// <param name="scopeToken">The scope token.</param> + internal static void VerifyValidScopeToken(string scopeToken) { + ErrorUtilities.VerifyProtocol(!String.IsNullOrEmpty(scopeToken), OAuthStrings.InvalidScopeToken, scopeToken); + for (int i = 0; i < scopeToken.Length; i++) { + // The allowed set of characters comes from OAuth 2.0 section 3.3 (draft 23) + char ch = scopeToken[i]; + if (!(ch == '\x21' || (ch >= '\x23' && ch <= '\x5B') || (ch >= '\x5D' && ch <= '\x7E'))) { + ErrorUtilities.ThrowProtocol(OAuthStrings.InvalidScopeToken, scopeToken); + } + } + } + + /// <summary> /// Authorizes an HTTP request using an OAuth 2.0 access token in an HTTP Authorization header. /// </summary> /// <param name="request">The request to authorize.</param> |