diff options
| author | Andrew Arnott <andrewarnott@gmail.com> | 2010-07-17 19:05:18 -0700 |
|---|---|---|
| committer | Andrew Arnott <andrewarnott@gmail.com> | 2010-07-17 19:05:18 -0700 |
| commit | f4f6396ab24973594eadc6fc5a7afbc1528b302f (patch) | |
| tree | ce4bc973bb89e9122d7e2a30ceb75ef0ea5bc70a /src | |
| parent | 65ac85fb64225377b57732d3bfaf7b40a03a0052 (diff) | |
| download | DotNetOpenAuth-f4f6396ab24973594eadc6fc5a7afbc1528b302f.zip DotNetOpenAuth-f4f6396ab24973594eadc6fc5a7afbc1528b302f.tar.gz DotNetOpenAuth-f4f6396ab24973594eadc6fc5a7afbc1528b302f.tar.bz2 | |
Access token now checked for valid characters to appear in HTTP Authorization header.
Diffstat (limited to 'src')
| -rw-r--r-- | src/DotNetOpenAuth/OAuth2/OAuthUtilities.cs | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/src/DotNetOpenAuth/OAuth2/OAuthUtilities.cs b/src/DotNetOpenAuth/OAuth2/OAuthUtilities.cs index fa1e661..4565a3f 100644 --- a/src/DotNetOpenAuth/OAuth2/OAuthUtilities.cs +++ b/src/DotNetOpenAuth/OAuth2/OAuthUtilities.cs @@ -24,6 +24,17 @@ namespace DotNetOpenAuth.OAuth2 { private static char[] scopeDelimiter = new char[] { ' ' }; /// <summary> + /// The characters that may appear in an access token that is included in an HTTP Authorization header. + /// </summary> + /// <remarks> + /// This is defined in OAuth 2.0 DRAFT 10, section 5.1.1. (http://tools.ietf.org/id/draft-ietf-oauth-v2-10.html#authz-header) + /// </remarks> + private static string accessTokenAuthorizationHeaderAllowedCharacters = MessagingUtilities.UppercaseLetters + + MessagingUtilities.LowercaseLetters + + MessagingUtilities.Digits + + @"!#$%&'()*+-./:<=>?@[]^_`{|}~\,;"; + + /// <summary> /// Determines whether one given scope is a subset of another scope. /// </summary> /// <param name="requestedScope">The requested scope, which may be a subset of <paramref name="grantedScope"/>.</param> @@ -71,10 +82,12 @@ namespace DotNetOpenAuth.OAuth2 { internal static void AuthorizeWithOAuthWrap(this HttpWebRequest request, string accessToken) { Contract.Requires<ArgumentNullException>(request != null); Contract.Requires<ArgumentException>(!string.IsNullOrEmpty(accessToken)); + Contract.Requires<ArgumentException>(accessToken.All(ch => accessTokenAuthorizationHeaderAllowedCharacters.IndexOf(ch) >= 0), "The access token contains characters that must not appear in the HTTP Authorization header."); + request.Headers[HttpRequestHeader.Authorization] = string.Format( CultureInfo.InvariantCulture, Protocol.HttpAuthorizationHeaderFormat, - Uri.EscapeDataString(accessToken)); + accessToken); } /// <summary> |