Skip to content
This repository was archived by the owner on Mar 20, 2019. It is now read-only.

Commit 951ff62

Browse files
AArnottAArnott
committed
Merge branch 'v4.0' into v4.1
2 parents 90cbeec + 5ceb75f commit 951ff62

9 files changed

Lines changed: 54 additions & 10 deletions

File tree

samples/OpenIdProviderMvc/Controllers/OpenIdController.cs

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ namespace OpenIdProviderMvc.Controllers {
22
using System;
33
using System.Collections.Generic;
44
using System.Linq;
5+
using System.Net;
56
using System.Web;
67
using System.Web.Mvc;
78
using System.Web.Mvc.Ajax;
@@ -94,13 +95,25 @@ public ActionResult AskUser() {
9495
return response;
9596
}
9697

98+
if (!ProviderEndpoint.PendingAuthenticationRequest.IsDirectedIdentity &&
99+
!this.UserControlsIdentifier(ProviderEndpoint.PendingAuthenticationRequest)) {
100+
return this.Redirect(this.Url.Action("LogOn", "Account", new { returnUrl = this.Request.Url }));
101+
}
102+
97103
this.ViewData["Realm"] = ProviderEndpoint.PendingRequest.Realm;
98104

99105
return this.View();
100106
}
101107

102108
[HttpPost, Authorize, ValidateAntiForgeryToken]
103109
public ActionResult AskUserResponse(bool confirmed) {
110+
if (!ProviderEndpoint.PendingAuthenticationRequest.IsDirectedIdentity &&
111+
!this.UserControlsIdentifier(ProviderEndpoint.PendingAuthenticationRequest))
112+
{
113+
// The user shouldn't have gotten this far without controlling the identifier we'd send an assertion for.
114+
return new HttpStatusCodeResult((int)HttpStatusCode.BadRequest);
115+
}
116+
104117
if (ProviderEndpoint.PendingAnonymousRequest != null) {
105118
ProviderEndpoint.PendingAnonymousRequest.IsApproved = confirmed;
106119
} else if (ProviderEndpoint.PendingAuthenticationRequest != null) {

samples/OpenIdProviderWebForms/Code/CustomStore.cs

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ namespace OpenIdProviderWebForms.Code {
99
using System.Collections.Generic;
1010
using System.Data;
1111
using System.Globalization;
12+
using System.Linq;
1213
using DotNetOpenAuth;
1314
using DotNetOpenAuth.Configuration;
1415
using DotNetOpenAuth.Messaging.Bindings;
@@ -100,7 +101,7 @@ public IEnumerable<KeyValuePair<string, CryptoKey>> GetKeys(string bucket) {
100101
yield break;
101102
}
102103

103-
foreach (CustomStoreDataSet.CryptoKeyRow row in view) {
104+
foreach (CustomStoreDataSet.CryptoKeyRow row in view.Cast<DataRowView>().Select(rv => rv.Row)) {
104105
yield return new KeyValuePair<string, CryptoKey>(row.Handle, new CryptoKey(row.Secret, row.ExpiresUtc));
105106
}
106107
}

src/DotNetOpenAuth.AspNet/Clients/OAuth/OAuthClient.cs

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -164,9 +164,8 @@ public virtual AuthenticationResult VerifyAuthentication(HttpContextBase context
164164
internal static XDocument LoadXDocumentFromStream(Stream stream) {
165165
const int MaxChars = 0x10000; // 64k
166166

167-
XmlReaderSettings settings = new XmlReaderSettings() {
168-
MaxCharactersInDocument = MaxChars
169-
};
167+
var settings = MessagingUtilities.CreateUntrustedXmlReaderSettings();
168+
settings.MaxCharactersInDocument = MaxChars;
170169
return XDocument.Load(XmlReader.Create(stream, settings));
171170
}
172171

src/DotNetOpenAuth.Core/Messaging/MessagingUtilities.cs

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -356,6 +356,27 @@ internal static Uri GetWebRoot() {
356356
return realmUrl.Uri;
357357
}
358358

359+
/// Creates the XML reader settings to use for reading XML from untrusted sources.
360+
/// </summary>
361+
/// <returns>
362+
/// The new instance of <see cref="XmlReaderSettings"/>.
363+
/// </returns>
364+
/// <remarks>
365+
/// The default values set here are based on recommendations from
366+
/// http://msdn.microsoft.com/en-us/magazine/ee335713.aspx
367+
/// </remarks>
368+
internal static XmlReaderSettings CreateUntrustedXmlReaderSettings() {
369+
return new XmlReaderSettings {
370+
MaxCharactersFromEntities = 1024,
371+
XmlResolver = null,
372+
#if CLR4
373+
DtdProcessing = DtdProcessing.Prohibit,
374+
#else
375+
ProhibitDtd = true,
376+
#endif
377+
};
378+
}
379+
359380
/// <summary>
360381
/// Clears any existing elements in a collection and fills the collection with a given set of values.
361382
/// </summary>

src/DotNetOpenAuth.InfoCard/InfoCard/Token/Token.cs

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,8 @@ private Token(string tokenXml, Uri audience, TokenDecryptor decryptor) {
5151
string decryptedString;
5252

5353
using (StringReader xmlReader = new StringReader(tokenXml)) {
54-
using (XmlReader tokenReader = XmlReader.Create(xmlReader)) {
54+
var readerSettings = MessagingUtilities.CreateUntrustedXmlReaderSettings();
55+
using (XmlReader tokenReader = XmlReader.Create(xmlReader, readerSettings)) {
5556
Contract.Assume(tokenReader != null); // BCL contract should say XmlReader.Create result != null
5657
if (IsEncrypted(tokenReader)) {
5758
Logger.InfoCard.DebugFormat("Incoming SAML token, before decryption: {0}", tokenXml);
@@ -206,7 +207,8 @@ internal static bool IsEncrypted(string tokenXml) {
206207
var stringReader = new StringReader(tokenXml);
207208
XmlReader tokenReader;
208209
try {
209-
tokenReader = XmlReader.Create(stringReader);
210+
var readerSettings = MessagingUtilities.CreateUntrustedXmlReaderSettings();
211+
tokenReader = XmlReader.Create(stringReader, readerSettings);
210212
} catch {
211213
stringReader.Dispose();
212214
throw;

src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/HostMetaDiscoveryService.cs

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -120,7 +120,8 @@ public IEnumerable<IdentifierDiscoveryResult> Discover(Identifier identifier, ID
120120
using (var response = GetXrdsResponse(uriIdentifier, requestHandler, out signingHost)) {
121121
if (response != null) {
122122
try {
123-
var document = new XrdsDocument(XmlReader.Create(response.ResponseStream));
123+
var readerSettings = MessagingUtilities.CreateUntrustedXmlReaderSettings();
124+
var document = new XrdsDocument(XmlReader.Create(response.ResponseStream, readerSettings));
124125
ValidateXmlDSig(document, uriIdentifier, response, signingHost);
125126
var xrds = GetXrdElements(document, uriIdentifier.Uri.Host);
126127

@@ -196,7 +197,8 @@ private static IEnumerable<IdentifierDiscoveryResult> GetExternalServices(IEnume
196197
string nextAuthority = nextAuthorityNode != null ? nextAuthorityNode.Value.Trim() : identifier.Uri.Host;
197198
try {
198199
using (var externalXrdsResponse = GetXrdsResponse(identifier, requestHandler, externalLocation)) {
199-
XrdsDocument externalXrds = new XrdsDocument(XmlReader.Create(externalXrdsResponse.ResponseStream));
200+
var readerSettings = MessagingUtilities.CreateUntrustedXmlReaderSettings();
201+
XrdsDocument externalXrds = new XrdsDocument(XmlReader.Create(externalXrdsResponse.ResponseStream, readerSettings));
200202
ValidateXmlDSig(externalXrds, identifier, externalXrdsResponse, nextAuthority);
201203
results.AddRange(GetXrdElements(externalXrds, identifier).CreateServiceEndpoints(identifier, identifier));
202204
}

src/DotNetOpenAuth.OpenId/OpenId/UriIdentifier.cs

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -90,6 +90,10 @@ static UriIdentifier() {
9090
// We must be running in partial trust. Nothing more we can do.
9191
Logger.OpenId.Warn("Unable to coerce .NET to stop compressing URI paths due to partial trust limitations. Some URL identifiers may be unable to complete login.");
9292
Reporting.RecordFeatureUse("PartialTrust");
93+
} catch (FieldAccessException) { // one customer reported getting this exception
94+
// We must be running in partial trust. Nothing more we can do.
95+
Logger.OpenId.Warn("Unable to coerce .NET to stop compressing URI paths due to partial trust limitations. Some URL identifiers may be unable to complete login.");
96+
Reporting.RecordFeatureUse("PartialTrust");
9397
}
9498
}
9599

src/DotNetOpenAuth.OpenId/OpenId/XriDiscoveryProxyService.cs

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,8 @@ private static XrdsDocument DownloadXrds(XriIdentifier identifier, IDirectWebReq
7777
Contract.Ensures(Contract.Result<XrdsDocument>() != null);
7878
XrdsDocument doc;
7979
using (var xrdsResponse = Yadis.Request(requestHandler, GetXrdsUrl(identifier), identifier.IsDiscoverySecureEndToEnd)) {
80-
doc = new XrdsDocument(XmlReader.Create(xrdsResponse.ResponseStream));
80+
var readerSettings = MessagingUtilities.CreateUntrustedXmlReaderSettings();
81+
doc = new XrdsDocument(XmlReader.Create(xrdsResponse.ResponseStream, readerSettings));
8182
}
8283
ErrorUtilities.VerifyProtocol(doc.IsXrdResolutionSuccessful, OpenIdStrings.XriResolutionFailed);
8384
return doc;

src/DotNetOpenAuth.OpenId/Yadis/Yadis.cs

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -190,7 +190,8 @@ private static bool IsXrdsDocument(CachedDirectWebResponse response) {
190190
if (response.ContentType.MediaType == ContentTypes.Xml) {
191191
// This COULD be an XRDS document with an imprecise content-type.
192192
response.ResponseStream.Seek(0, SeekOrigin.Begin);
193-
XmlReader reader = XmlReader.Create(response.ResponseStream);
193+
var readerSettings = MessagingUtilities.CreateUntrustedXmlReaderSettings();
194+
XmlReader reader = XmlReader.Create(response.ResponseStream, readerSettings);
194195
while (reader.Read() && reader.NodeType != XmlNodeType.Element) {
195196
// intentionally blank
196197
}

0 commit comments

Comments
 (0)