summaryrefslogtreecommitdiffstats
path: root/src/DotNetOpenId/UntrustedWebRequest.cs
diff options
context:
space:
mode:
authorAndrew Arnott <andrewarnott@gmail.com>2009-12-28 08:18:35 -0800
committerAndrew Arnott <andrewarnott@gmail.com>2009-12-28 08:18:35 -0800
commitd855f2c295e0bbb7a3b73f8dfc933a539c2a2efe (patch)
tree6d309115c206711a6e6a7bba33ac45a7eaddf9f7 /src/DotNetOpenId/UntrustedWebRequest.cs
parent66f7179ed6fa8bc8bcd7e831ebb8ac4548067d85 (diff)
parent360a625667a5e3fcb169710dd35536fc32df8759 (diff)
downloadDotNetOpenAuth-origin/v2.6.zip
DotNetOpenAuth-origin/v2.6.tar.gz
DotNetOpenAuth-origin/v2.6.tar.bz2
Merge branch 'v2.5' into v2.6origin/v2.6
Conflicts: src/version.txt
Diffstat (limited to 'src/DotNetOpenId/UntrustedWebRequest.cs')
-rw-r--r--src/DotNetOpenId/UntrustedWebRequest.cs10
1 files changed, 6 insertions, 4 deletions
diff --git a/src/DotNetOpenId/UntrustedWebRequest.cs b/src/DotNetOpenId/UntrustedWebRequest.cs
index 6a997a4..4ba07af 100644
--- a/src/DotNetOpenId/UntrustedWebRequest.cs
+++ b/src/DotNetOpenId/UntrustedWebRequest.cs
@@ -224,11 +224,11 @@ namespace DotNetOpenId {
}
}
- static UntrustedWebResponse getResponse(Uri requestUri, HttpWebResponse resp) {
+ static UntrustedWebResponse getResponse(Uri requestUri, Uri finalRequestUri, HttpWebResponse resp) {
byte[] data;
int length;
readData(resp, out data, out length);
- return new UntrustedWebResponse(requestUri, resp, new MemoryStream(data, 0, length));
+ return new UntrustedWebResponse(requestUri, finalRequestUri, resp, new MemoryStream(data, 0, length));
}
internal static UntrustedWebResponse Request(Uri uri) {
@@ -283,6 +283,8 @@ namespace DotNetOpenId {
// If SSL is required throughout, we cannot allow auto redirects because
// it may include a pass through an unprotected HTTP request.
// We have to follow redirects manually, and our caller will be responsible for that.
+ // It also allows us to ignore HttpWebResponse.FinalUri since that can be affected by
+ // the Content-Location header and open security holes.
request.AllowAutoRedirect = false;
request.ReadWriteTimeout = (int)ReadWriteTimeout.TotalMilliseconds;
request.Timeout = (int)Timeout.TotalMilliseconds;
@@ -316,7 +318,7 @@ namespace DotNetOpenId {
}
using (HttpWebResponse response = (HttpWebResponse)request.GetResponse()) {
- return getResponse(originalRequestUri, response);
+ return getResponse(originalRequestUri, request.RequestUri, response);
}
} catch (WebException e) {
using (HttpWebResponse response = (HttpWebResponse)e.Response) {
@@ -326,7 +328,7 @@ namespace DotNetOpenId {
return RequestInternal(uri, body, acceptTypes, requireSsl, true, originalRequestUri, cachePolicy);
}
}
- return getResponse(originalRequestUri, response);
+ return getResponse(originalRequestUri, request.RequestUri, response);
} else {
throw new OpenIdException(string.Format(CultureInfo.CurrentCulture,
Strings.WebRequestFailed, originalRequestUri), e);