diff options
author | Andrew Arnott <andrewarnott@gmail.com> | 2009-12-28 08:18:35 -0800 |
---|---|---|
committer | Andrew Arnott <andrewarnott@gmail.com> | 2009-12-28 08:18:35 -0800 |
commit | d855f2c295e0bbb7a3b73f8dfc933a539c2a2efe (patch) | |
tree | 6d309115c206711a6e6a7bba33ac45a7eaddf9f7 /src/DotNetOpenId/UntrustedWebRequest.cs | |
parent | 66f7179ed6fa8bc8bcd7e831ebb8ac4548067d85 (diff) | |
parent | 360a625667a5e3fcb169710dd35536fc32df8759 (diff) | |
download | DotNetOpenAuth-origin/v2.6.zip DotNetOpenAuth-origin/v2.6.tar.gz DotNetOpenAuth-origin/v2.6.tar.bz2 |
Merge branch 'v2.5' into v2.6origin/v2.6
Conflicts:
src/version.txt
Diffstat (limited to 'src/DotNetOpenId/UntrustedWebRequest.cs')
-rw-r--r-- | src/DotNetOpenId/UntrustedWebRequest.cs | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/src/DotNetOpenId/UntrustedWebRequest.cs b/src/DotNetOpenId/UntrustedWebRequest.cs index 6a997a4..4ba07af 100644 --- a/src/DotNetOpenId/UntrustedWebRequest.cs +++ b/src/DotNetOpenId/UntrustedWebRequest.cs @@ -224,11 +224,11 @@ namespace DotNetOpenId { }
}
- static UntrustedWebResponse getResponse(Uri requestUri, HttpWebResponse resp) {
+ static UntrustedWebResponse getResponse(Uri requestUri, Uri finalRequestUri, HttpWebResponse resp) {
byte[] data;
int length;
readData(resp, out data, out length);
- return new UntrustedWebResponse(requestUri, resp, new MemoryStream(data, 0, length));
+ return new UntrustedWebResponse(requestUri, finalRequestUri, resp, new MemoryStream(data, 0, length));
}
internal static UntrustedWebResponse Request(Uri uri) {
@@ -283,6 +283,8 @@ namespace DotNetOpenId { // If SSL is required throughout, we cannot allow auto redirects because
// it may include a pass through an unprotected HTTP request.
// We have to follow redirects manually, and our caller will be responsible for that.
+ // It also allows us to ignore HttpWebResponse.FinalUri since that can be affected by
+ // the Content-Location header and open security holes.
request.AllowAutoRedirect = false;
request.ReadWriteTimeout = (int)ReadWriteTimeout.TotalMilliseconds;
request.Timeout = (int)Timeout.TotalMilliseconds;
@@ -316,7 +318,7 @@ namespace DotNetOpenId { }
using (HttpWebResponse response = (HttpWebResponse)request.GetResponse()) {
- return getResponse(originalRequestUri, response);
+ return getResponse(originalRequestUri, request.RequestUri, response);
}
} catch (WebException e) {
using (HttpWebResponse response = (HttpWebResponse)e.Response) {
@@ -326,7 +328,7 @@ namespace DotNetOpenId { return RequestInternal(uri, body, acceptTypes, requireSsl, true, originalRequestUri, cachePolicy);
}
}
- return getResponse(originalRequestUri, response);
+ return getResponse(originalRequestUri, request.RequestUri, response);
} else {
throw new OpenIdException(string.Format(CultureInfo.CurrentCulture,
Strings.WebRequestFailed, originalRequestUri), e);
|