diff options
| author | Andrew Arnott <andrewarnott@gmail.com> | 2009-10-05 10:54:17 -0700 |
|---|---|---|
| committer | Andrew Arnott <andrewarnott@gmail.com> | 2009-10-05 10:54:17 -0700 |
| commit | f59457f268186797edcc754a364a78dd4f9d3454 (patch) | |
| tree | 7ff802b3b8beebff8aab3abea9a8a6850fd2a2dd /src | |
| parent | 04b17fd21f7d37b6870312ba09d1cd84f7848543 (diff) | |
| download | DotNetOpenAuth-f59457f268186797edcc754a364a78dd4f9d3454.zip DotNetOpenAuth-f59457f268186797edcc754a364a78dd4f9d3454.tar.gz DotNetOpenAuth-f59457f268186797edcc754a364a78dd4f9d3454.tar.bz2 | |
Fixed bug where HttpWebResponse.FinalUri might not really be the responding endpoint, resulting in an incorrect claimed_id value going to the OP.
Fixed Trac ticket #136.
Diffstat (limited to 'src')
| -rw-r--r-- | src/DotNetOpenAuth/Messaging/IncomingWebResponse.cs | 2 | ||||
| -rw-r--r-- | src/DotNetOpenAuth/Messaging/UntrustedWebRequestHandler.cs | 21 |
2 files changed, 17 insertions, 6 deletions
diff --git a/src/DotNetOpenAuth/Messaging/IncomingWebResponse.cs b/src/DotNetOpenAuth/Messaging/IncomingWebResponse.cs index dee81dc..e471a06 100644 --- a/src/DotNetOpenAuth/Messaging/IncomingWebResponse.cs +++ b/src/DotNetOpenAuth/Messaging/IncomingWebResponse.cs @@ -101,7 +101,7 @@ namespace DotNetOpenAuth.Messaging { /// This can be different from the <see cref="RequestUri"/> in cases of /// redirection during the request. /// </remarks> - public Uri FinalUri { get; private set; } + public Uri FinalUri { get; internal set; } /// <summary> /// Gets the headers that must be included in the response to the user agent. diff --git a/src/DotNetOpenAuth/Messaging/UntrustedWebRequestHandler.cs b/src/DotNetOpenAuth/Messaging/UntrustedWebRequestHandler.cs index 733b698..1656155 100644 --- a/src/DotNetOpenAuth/Messaging/UntrustedWebRequestHandler.cs +++ b/src/DotNetOpenAuth/Messaging/UntrustedWebRequestHandler.cs @@ -259,6 +259,15 @@ namespace DotNetOpenAuth.Messaging { Uri redirectUri = new Uri(response.FinalUri, response.Headers[HttpResponseHeader.Location]); request = request.Clone(redirectUri); } else { + if (response.FinalUri != request.RequestUri) { + // Since we don't automatically follow redirects, there's only one scenario where this + // can happen: when the server sends a (non-redirecting) Content-Location header in the response. + // It's imperative that we do not trust that header though, so coerce the FinalUri to be + // what we just requested. + Logger.Http.WarnFormat("The response from {0} included an HTTP header indicating it's the same as {1}, but it's not a redirect so we won't trust that.", request.RequestUri, response.FinalUri); + response.FinalUri = request.RequestUri; + } + return response; } } @@ -455,12 +464,14 @@ namespace DotNetOpenAuth.Messaging { request.ReadWriteTimeout = (int)this.ReadWriteTimeout.TotalMilliseconds; request.Timeout = (int)this.Timeout.TotalMilliseconds; request.KeepAlive = false; - - // If SSL is required throughout, we cannot allow auto redirects because - // it may include a pass through an unprotected HTTP request. - // We have to follow redirects manually. - request.AllowAutoRedirect = false; } + + // If SSL is required throughout, we cannot allow auto redirects because + // it may include a pass through an unprotected HTTP request. + // We have to follow redirects manually. + // It also allows us to ignore HttpWebResponse.FinalUri since that can be affected by + // the Content-Location header and open security holes. + request.AllowAutoRedirect = false; } } } |