summaryrefslogtreecommitdiffstats
path: root/src/DotNetOpenAuth.Core
diff options
context:
space:
mode:
Diffstat (limited to 'src/DotNetOpenAuth.Core')
-rw-r--r--src/DotNetOpenAuth.Core/Messaging/DataBagFormatterBase.cs4
-rw-r--r--src/DotNetOpenAuth.Core/Messaging/MessagingStrings.Designer.cs11
-rw-r--r--src/DotNetOpenAuth.Core/Messaging/MessagingStrings.resx7
-rw-r--r--src/DotNetOpenAuth.Core/Messaging/MessagingUtilities.cs20
4 files changed, 31 insertions, 11 deletions
diff --git a/src/DotNetOpenAuth.Core/Messaging/DataBagFormatterBase.cs b/src/DotNetOpenAuth.Core/Messaging/DataBagFormatterBase.cs
index 377e6d8..e7ac254 100644
--- a/src/DotNetOpenAuth.Core/Messaging/DataBagFormatterBase.cs
+++ b/src/DotNetOpenAuth.Core/Messaging/DataBagFormatterBase.cs
@@ -215,8 +215,8 @@ namespace DotNetOpenAuth.Messaging {
if (this.signed) {
using (var dataStream = new MemoryStream(data)) {
var dataReader = new BinaryReader(dataStream);
- signature = dataReader.ReadBuffer();
- data = dataReader.ReadBuffer();
+ signature = dataReader.ReadBuffer(1024);
+ data = dataReader.ReadBuffer(8 * 1024);
}
// Verify that the verification code was issued by message authorization server.
diff --git a/src/DotNetOpenAuth.Core/Messaging/MessagingStrings.Designer.cs b/src/DotNetOpenAuth.Core/Messaging/MessagingStrings.Designer.cs
index 2fe273f..4f89589 100644
--- a/src/DotNetOpenAuth.Core/Messaging/MessagingStrings.Designer.cs
+++ b/src/DotNetOpenAuth.Core/Messaging/MessagingStrings.Designer.cs
@@ -1,7 +1,7 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
-// Runtime Version:4.0.30319.239
+// Runtime Version:4.0.30319.18010
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
@@ -106,6 +106,15 @@ namespace DotNetOpenAuth.Messaging {
}
/// <summary>
+ /// Looks up a localized string similar to Decoding failed due to data corruption..
+ /// </summary>
+ internal static string DataCorruptionDetected {
+ get {
+ return ResourceManager.GetString("DataCorruptionDetected", resourceCulture);
+ }
+ }
+
+ /// <summary>
/// Looks up a localized string similar to An instance of type {0} was expected, but received unexpected derived type {1}..
/// </summary>
internal static string DerivedTypeNotExpected {
diff --git a/src/DotNetOpenAuth.Core/Messaging/MessagingStrings.resx b/src/DotNetOpenAuth.Core/Messaging/MessagingStrings.resx
index fbdb63d..15ca046 100644
--- a/src/DotNetOpenAuth.Core/Messaging/MessagingStrings.resx
+++ b/src/DotNetOpenAuth.Core/Messaging/MessagingStrings.resx
@@ -112,10 +112,10 @@
<value>2.0</value>
</resheader>
<resheader name="reader">
- <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+ <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
</resheader>
<resheader name="writer">
- <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+ <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
</resheader>
<data name="ArgumentPropertyMissing" xml:space="preserve">
<value>Argument's {0}.{1} property is required but is empty or null.</value>
@@ -333,4 +333,7 @@
<data name="UnexpectedBufferLength" xml:space="preserve">
<value>Unexpected buffer length.</value>
</data>
+ <data name="DataCorruptionDetected" xml:space="preserve">
+ <value>Decoding failed due to data corruption.</value>
+ </data>
</root> \ No newline at end of file
diff --git a/src/DotNetOpenAuth.Core/Messaging/MessagingUtilities.cs b/src/DotNetOpenAuth.Core/Messaging/MessagingUtilities.cs
index d6df26c..2e72c97 100644
--- a/src/DotNetOpenAuth.Core/Messaging/MessagingUtilities.cs
+++ b/src/DotNetOpenAuth.Core/Messaging/MessagingUtilities.cs
@@ -171,9 +171,10 @@ namespace DotNetOpenAuth.Messaging {
/// <param name="outgoingResponse">The response to send to the user agent.</param>
/// <returns>The <see cref="HttpResponseMessage"/> instance to be returned by the Web API method.</returns>
public static HttpResponseMessage AsHttpResponseMessage(this OutgoingWebResponse outgoingResponse) {
- HttpResponseMessage response = new HttpResponseMessage(outgoingResponse.Status) {
- Content = new StreamContent(outgoingResponse.ResponseStream)
- };
+ HttpResponseMessage response = new HttpResponseMessage(outgoingResponse.Status);
+ if (outgoingResponse.ResponseStream != null) {
+ response.Content = new StreamContent(outgoingResponse.ResponseStream);
+ }
var responseHeaders = outgoingResponse.Headers;
foreach (var header in responseHeaders.AllKeys) {
@@ -876,7 +877,7 @@ namespace DotNetOpenAuth.Messaging {
using (var encryptedStream = new MemoryStream(buffer)) {
var encryptedStreamReader = new BinaryReader(encryptedStream);
- byte[] encryptedPrequel = encryptedStreamReader.ReadBytes(encryptedStreamReader.ReadInt32());
+ byte[] encryptedPrequel = encryptedStreamReader.ReadBuffer(4096);
byte[] prequel = crypto.Decrypt(encryptedPrequel, false);
using (var symmetricCrypto = new RijndaelManaged()) {
@@ -1068,7 +1069,7 @@ namespace DotNetOpenAuth.Messaging {
missingPaddingCharacters = 0;
break;
default:
- throw ErrorUtilities.ThrowInternal("No more than two padding characters should be present for base64.");
+ throw new ProtocolException(MessagingStrings.DataCorruptionDetected, new ArgumentException("No more than two padding characters should be present for base64."));
}
var builder = new StringBuilder(base64WebSafe, base64WebSafe.Length + missingPaddingCharacters);
builder.Replace('-', '+').Replace('_', '/');
@@ -1746,10 +1747,17 @@ namespace DotNetOpenAuth.Messaging {
/// Reads a buffer that is prefixed with its own length.
/// </summary>
/// <param name="reader">The binary reader positioned at the buffer length.</param>
+ /// <param name="maxBufferSize">
+ /// The maximum size of the buffer that should be permitted.
+ /// Although the stream will indicate the size of the buffer, this mitigates data corruption
+ /// or DoS attacks causing the web server to allocate too much memory for a small data packet.
+ /// </param>
/// <returns>The read buffer.</returns>
- internal static byte[] ReadBuffer(this BinaryReader reader) {
+ internal static byte[] ReadBuffer(this BinaryReader reader, int maxBufferSize) {
Requires.NotNull(reader, "reader");
+ Requires.InRange(maxBufferSize > 0 && maxBufferSize < 1024 * 1024, "maxBufferSize");
int length = reader.ReadInt32();
+ ErrorUtilities.VerifyProtocol(length <= maxBufferSize, MessagingStrings.DataCorruptionDetected);
byte[] buffer = new byte[length];
ErrorUtilities.VerifyProtocol(reader.Read(buffer, 0, length) == length, MessagingStrings.UnexpectedBufferLength);
return buffer;
generated by cgit v1.1 at 2025-05-29 11:05:22 +0000