Merge branch 'v2.5' into v2.6origin/v2.6

Conflicts: src/version.txt
author: Andrew Arnott <andrewarnott@gmail.com> 2009-12-28 08:18:35 -0800
committer: Andrew Arnott <andrewarnott@gmail.com> 2009-12-28 08:18:35 -0800
commit: d855f2c295e0bbb7a3b73f8dfc933a539c2a2efe (patch)
tree: 6d309115c206711a6e6a7bba33ac45a7eaddf9f7 /src/DotNetOpenId/UntrustedWebRequest.cs
parent: 66f7179ed6fa8bc8bcd7e831ebb8ac4548067d85 (diff)
parent: 360a625667a5e3fcb169710dd35536fc32df8759 (diff)
download: DotNetOpenAuth-origin/v2.6.zip
DotNetOpenAuth-origin/v2.6.tar.gz
DotNetOpenAuth-origin/v2.6.tar.bz2
1 files changed, 6 insertions, 4 deletions
diff --git a/src/DotNetOpenId/UntrustedWebRequest.cs b/src/DotNetOpenId/UntrustedWebRequest.cs
index 6a997a4..4ba07af 100644
--- a/src/DotNetOpenId/UntrustedWebRequest.cs
+++ b/src/DotNetOpenId/UntrustedWebRequest.cs
@@ -224,11 +224,11 @@ namespace DotNetOpenId {
 			}
 		}
 
-		static UntrustedWebResponse getResponse(Uri requestUri, HttpWebResponse resp) {
+		static UntrustedWebResponse getResponse(Uri requestUri, Uri finalRequestUri, HttpWebResponse resp) {
 			byte[] data;
 			int length;
 			readData(resp, out data, out length);
-			return new UntrustedWebResponse(requestUri, resp, new MemoryStream(data, 0, length));
+			return new UntrustedWebResponse(requestUri, finalRequestUri, resp, new MemoryStream(data, 0, length));
 		}
 
 		internal static UntrustedWebResponse Request(Uri uri) {
@@ -283,6 +283,8 @@ namespace DotNetOpenId {
 			// If SSL is required throughout, we cannot allow auto redirects because
 			// it may include a pass through an unprotected HTTP request.
 			// We have to follow redirects manually, and our caller will be responsible for that.
+			// It also allows us to ignore HttpWebResponse.FinalUri since that can be affected by
+			// the Content-Location header and open security holes.
 			request.AllowAutoRedirect = false;
 			request.ReadWriteTimeout = (int)ReadWriteTimeout.TotalMilliseconds;
 			request.Timeout = (int)Timeout.TotalMilliseconds;
@@ -316,7 +318,7 @@ namespace DotNetOpenId {
 				}
 
 				using (HttpWebResponse response = (HttpWebResponse)request.GetResponse()) {
-					return getResponse(originalRequestUri, response);
+					return getResponse(originalRequestUri, request.RequestUri, response);
 				}
 			} catch (WebException e) {
 				using (HttpWebResponse response = (HttpWebResponse)e.Response) {
@@ -326,7 +328,7 @@ namespace DotNetOpenId {
 								return RequestInternal(uri, body, acceptTypes, requireSsl, true, originalRequestUri, cachePolicy);
 							}
 						}
-						return getResponse(originalRequestUri, response);
+						return getResponse(originalRequestUri, request.RequestUri, response);
 					} else {
 						throw new OpenIdException(string.Format(CultureInfo.CurrentCulture,
 							Strings.WebRequestFailed, originalRequestUri), e);
author	Andrew Arnott <andrewarnott@gmail.com>	2009-12-28 08:18:35 -0800
committer	Andrew Arnott <andrewarnott@gmail.com>	2009-12-28 08:18:35 -0800
commit	d855f2c295e0bbb7a3b73f8dfc933a539c2a2efe (patch)
tree	6d309115c206711a6e6a7bba33ac45a7eaddf9f7 /src/DotNetOpenId/UntrustedWebRequest.cs
parent	66f7179ed6fa8bc8bcd7e831ebb8ac4548067d85 (diff)
parent	360a625667a5e3fcb169710dd35536fc32df8759 (diff)
download	DotNetOpenAuth-origin/v2.6.zip DotNetOpenAuth-origin/v2.6.tar.gz DotNetOpenAuth-origin/v2.6.tar.bz2