PR feedback

This commit is contained in:
Ryan Nowak 2015-12-16 12:48:03 -08:00
parent ea43ce1bb7
commit bf6406bc2a
2 changed files with 10 additions and 16 deletions

View File

@ -11,10 +11,9 @@ namespace Microsoft.AspNet.Antiforgery
public class AntiforgeryOptions public class AntiforgeryOptions
{ {
private const string AntiforgeryTokenFieldName = "__RequestVerificationToken"; private const string AntiforgeryTokenFieldName = "__RequestVerificationToken";
private const string AntiforgertyTokenHeaderName = "RequestVerificationToken"; private const string AntiforgeryTokenHeaderName = "RequestVerificationToken";
private string _cookieName; private string _cookieName;
private string _headerName = AntiforgertyTokenHeaderName;
private string _formFieldName = AntiforgeryTokenFieldName; private string _formFieldName = AntiforgeryTokenFieldName;
/// <summary> /// <summary>
@ -64,11 +63,7 @@ namespace Microsoft.AspNet.Antiforgery
/// Specifies the name of the header value that is used by the antiforgery system. If <c>null</c> then /// Specifies the name of the header value that is used by the antiforgery system. If <c>null</c> then
/// antiforgery validation will only consider form data. /// antiforgery validation will only consider form data.
/// </summary> /// </summary>
public string HeaderName public string HeaderName { get; set; } = AntiforgeryTokenHeaderName;
{
get { return _headerName; }
set { _headerName = value; }
}
/// <summary> /// <summary>
/// Specifies whether SSL is required for the antiforgery system /// Specifies whether SSL is required for the antiforgery system

View File

@ -123,7 +123,7 @@ namespace Microsoft.AspNet.Antiforgery
} }
// Are the security tokens embedded in each incoming token identical? // Are the security tokens embedded in each incoming token identical?
if (!Equals(cookieToken.SecurityToken, requestToken.SecurityToken)) if (!object.Equals(cookieToken.SecurityToken, requestToken.SecurityToken))
{ {
throw new InvalidOperationException(Resources.AntiforgeryToken_SecurityTokenMismatch); throw new InvalidOperationException(Resources.AntiforgeryToken_SecurityTokenMismatch);
} }
@ -144,15 +144,14 @@ namespace Microsoft.AspNet.Antiforgery
// OpenID and other similar authentication schemes use URIs for the username. // OpenID and other similar authentication schemes use URIs for the username.
// These should be treated as case-sensitive. // These should be treated as case-sensitive.
var useCaseSensitiveUsernameComparison = var comparer = StringComparer.OrdinalIgnoreCase;
currentUsername.StartsWith("http://", StringComparison.OrdinalIgnoreCase) || if (currentUsername.StartsWith("http://", StringComparison.OrdinalIgnoreCase) ||
currentUsername.StartsWith("https://", StringComparison.OrdinalIgnoreCase); currentUsername.StartsWith("https://", StringComparison.OrdinalIgnoreCase))
{
comparer = StringComparer.Ordinal;
}
if (!string.Equals(requestToken.Username, if (!comparer.Equals(requestToken.Username, currentUsername))
currentUsername,
(useCaseSensitiveUsernameComparison) ?
StringComparison.Ordinal :
StringComparison.OrdinalIgnoreCase))
{ {
throw new InvalidOperationException( throw new InvalidOperationException(
Resources.FormatAntiforgeryToken_UsernameMismatch(requestToken.Username, currentUsername)); Resources.FormatAntiforgeryToken_UsernameMismatch(requestToken.Username, currentUsername));