Added warning mechanism for return_to URLs that include openid parame…

…ters.
DotNetOpenAuth · Apr 27, 2008 · 603672f · 603672f
1 parent 8c760c5
commit 603672f
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 4 deletions.
diff --git a/src/DotNetOpenId/RelyingParty/AuthenticationRequest.cs b/src/DotNetOpenId/RelyingParty/AuthenticationRequest.cs
@@ -63,6 +63,15 @@ class AuthenticationRequest : IAuthenticationRequest {
 				Trace.TraceInformation("Return To: {0}", returnToUrl);
 				Trace.Unindent();
 			}
+			if (TraceUtil.Switch.TraceWarning && returnToUrl.Query != null) {
+				NameValueCollection returnToArgs = HttpUtility.ParseQueryString(returnToUrl.Query);
+				foreach (string key in returnToArgs) {
+					if (OpenIdRelyingParty.ShouldParameterBeStrippedFromReturnToUrl(key)) {
+						Trace.TraceWarning("OpenId argument \"{0}\" found in return_to URL.  This can corrupt an OpenID response.", key);
+						break;
+					}
+				}
+			}
 
 			var endpoint = userSuppliedIdentifier.Discover();
 			if (endpoint == null)

diff --git a/src/DotNetOpenId/RelyingParty/OpenIdRelyingParty.cs b/src/DotNetOpenId/RelyingParty/OpenIdRelyingParty.cs
@@ -17,7 +17,7 @@ public class OpenIdRelyingParty {
 		IRelyingPartyApplicationStore store;
 		Uri request;
 		IDictionary<string, string> query;
-		
+
 		/// <summary>
 		/// Constructs an OpenId consumer that uses the current HttpContext request
 		/// and uses the HttpApplication dictionary as its association store.
@@ -87,7 +87,6 @@ public class OpenIdRelyingParty {
 		/// </remarks>
 		public IAuthenticationRequest CreateRequest(Identifier userSuppliedIdentifier, Realm realm) {
 			if (HttpContext.Current == null) throw new InvalidOperationException(Strings.CurrentHttpContextRequired);
-			Protocol protocol = Protocol.Default;
 
 			// Build the return_to URL
 			UriBuilder returnTo = new UriBuilder(HttpContext.Current.Request.Url);
@@ -96,8 +95,7 @@ public class OpenIdRelyingParty {
 			returnTo.Query = string.Empty;
 			var returnToParams = new Dictionary<string, string>(HttpContext.Current.Request.QueryString.Count);
 			foreach (string key in HttpContext.Current.Request.QueryString) {
-				if (!key.StartsWith(protocol.openid.Prefix, StringComparison.OrdinalIgnoreCase) 
-					&& key != Token.TokenKey) {
+				if (!ShouldParameterBeStrippedFromReturnToUrl(key)) {
 					returnToParams.Add(key, HttpContext.Current.Request.QueryString[key]);
 				}
 			}
@@ -106,6 +104,12 @@ public class OpenIdRelyingParty {
 			return CreateRequest(userSuppliedIdentifier, realm, returnTo.Uri);
 		}
 
+		internal static bool ShouldParameterBeStrippedFromReturnToUrl(string parameterName) {
+			Protocol protocol = Protocol.Default;
+			return parameterName.StartsWith(protocol.openid.Prefix, StringComparison.OrdinalIgnoreCase)
+				|| parameterName == Token.TokenKey;
+		}
+
 		/// <remarks>
 		/// This method requires an ASP.NET HttpContext.
 		/// </remarks>