diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs | 9 | ||||
| -rw-r--r-- | src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx | 3 | ||||
| -rw-r--r-- | src/DotNetOpenAuth.OAuth2/OAuth2/OAuthUtilities.cs | 31 |
3 files changed, 42 insertions, 1 deletions
diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs index b3482fd..dcd6139 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs @@ -133,6 +133,15 @@ namespace DotNetOpenAuth.OAuth2 { } /// <summary> + /// Looks up a localized string similar to The scope token "{0}" contains illegal characters or is empty.. + /// </summary> + internal static string InvalidScopeToken { + get { + return ResourceManager.GetString("InvalidScopeToken", resourceCulture); + } + } + + /// <summary> /// Looks up a localized string similar to No callback URI was available for this request.. /// </summary> internal static string NoCallback { diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx index faa9fe5..9f920e7 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx @@ -141,6 +141,9 @@ <data name="InvalidClientCredentials" xml:space="preserve"> <value>Failed to obtain access token due to invalid Client Identifier or Client Secret.</value> </data> + <data name="InvalidScopeToken" xml:space="preserve"> + <value>The scope token "{0}" contains illegal characters or is empty.</value> + </data> <data name="NoCallback" xml:space="preserve"> <value>No callback URI was available for this request.</value> </data> diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthUtilities.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthUtilities.cs index a032ed5..245779a 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthUtilities.cs +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthUtilities.cs @@ -72,7 +72,9 @@ namespace DotNetOpenAuth.OAuth2 { return new HashSet<string>(); } - return new HashSet<string>(scope.Split(scopeDelimiter, StringSplitOptions.RemoveEmptyEntries), ScopeStringComparer); + var set = new HashSet<string>(scope.Split(scopeDelimiter, StringSplitOptions.RemoveEmptyEntries), ScopeStringComparer); + VerifyValidScopeTokens(set); + return set; } /// <summary> @@ -82,10 +84,37 @@ namespace DotNetOpenAuth.OAuth2 { /// <returns>A space-delimited list.</returns> public static string JoinScopes(HashSet<string> scopes) { Requires.NotNull(scopes, "scopes"); + VerifyValidScopeTokens(scopes); return string.Join(" ", scopes.ToArray()); } /// <summary> + /// Verifies that a sequence of scope tokens are all valid. + /// </summary> + /// <param name="scopes">The scopes.</param> + internal static void VerifyValidScopeTokens(IEnumerable<string> scopes) { + Requires.NotNull(scopes, "scopes"); + foreach (string scope in scopes) { + VerifyValidScopeToken(scope); + } + } + + /// <summary> + /// Verifies that a given scope token (not a space-delimited set, but a single token) is valid. + /// </summary> + /// <param name="scopeToken">The scope token.</param> + internal static void VerifyValidScopeToken(string scopeToken) { + ErrorUtilities.VerifyProtocol(!String.IsNullOrEmpty(scopeToken), OAuthStrings.InvalidScopeToken, scopeToken); + for (int i = 0; i < scopeToken.Length; i++) { + // The allowed set of characters comes from OAuth 2.0 section 3.3 (draft 23) + char ch = scopeToken[i]; + if (!(ch == '\x21' || (ch >= '\x23' && ch <= '\x5B') || (ch >= '\x5D' && ch <= '\x7E'))) { + ErrorUtilities.ThrowProtocol(OAuthStrings.InvalidScopeToken, scopeToken); + } + } + } + + /// <summary> /// Authorizes an HTTP request using an OAuth 2.0 access token in an HTTP Authorization header. /// </summary> /// <param name="request">The request to authorize.</param> |