PR feedback
This commit is contained in:
parent
ea43ce1bb7
commit
bf6406bc2a
|
|
@ -11,10 +11,9 @@ namespace Microsoft.AspNet.Antiforgery
|
||||||
public class AntiforgeryOptions
|
public class AntiforgeryOptions
|
||||||
{
|
{
|
||||||
private const string AntiforgeryTokenFieldName = "__RequestVerificationToken";
|
private const string AntiforgeryTokenFieldName = "__RequestVerificationToken";
|
||||||
private const string AntiforgertyTokenHeaderName = "RequestVerificationToken";
|
private const string AntiforgeryTokenHeaderName = "RequestVerificationToken";
|
||||||
|
|
||||||
private string _cookieName;
|
private string _cookieName;
|
||||||
private string _headerName = AntiforgertyTokenHeaderName;
|
|
||||||
private string _formFieldName = AntiforgeryTokenFieldName;
|
private string _formFieldName = AntiforgeryTokenFieldName;
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
|
|
@ -64,11 +63,7 @@ namespace Microsoft.AspNet.Antiforgery
|
||||||
/// Specifies the name of the header value that is used by the antiforgery system. If <c>null</c> then
|
/// Specifies the name of the header value that is used by the antiforgery system. If <c>null</c> then
|
||||||
/// antiforgery validation will only consider form data.
|
/// antiforgery validation will only consider form data.
|
||||||
/// </summary>
|
/// </summary>
|
||||||
public string HeaderName
|
public string HeaderName { get; set; } = AntiforgeryTokenHeaderName;
|
||||||
{
|
|
||||||
get { return _headerName; }
|
|
||||||
set { _headerName = value; }
|
|
||||||
}
|
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
/// Specifies whether SSL is required for the antiforgery system
|
/// Specifies whether SSL is required for the antiforgery system
|
||||||
|
|
|
||||||
|
|
@ -123,7 +123,7 @@ namespace Microsoft.AspNet.Antiforgery
|
||||||
}
|
}
|
||||||
|
|
||||||
// Are the security tokens embedded in each incoming token identical?
|
// Are the security tokens embedded in each incoming token identical?
|
||||||
if (!Equals(cookieToken.SecurityToken, requestToken.SecurityToken))
|
if (!object.Equals(cookieToken.SecurityToken, requestToken.SecurityToken))
|
||||||
{
|
{
|
||||||
throw new InvalidOperationException(Resources.AntiforgeryToken_SecurityTokenMismatch);
|
throw new InvalidOperationException(Resources.AntiforgeryToken_SecurityTokenMismatch);
|
||||||
}
|
}
|
||||||
|
|
@ -144,15 +144,14 @@ namespace Microsoft.AspNet.Antiforgery
|
||||||
|
|
||||||
// OpenID and other similar authentication schemes use URIs for the username.
|
// OpenID and other similar authentication schemes use URIs for the username.
|
||||||
// These should be treated as case-sensitive.
|
// These should be treated as case-sensitive.
|
||||||
var useCaseSensitiveUsernameComparison =
|
var comparer = StringComparer.OrdinalIgnoreCase;
|
||||||
currentUsername.StartsWith("http://", StringComparison.OrdinalIgnoreCase) ||
|
if (currentUsername.StartsWith("http://", StringComparison.OrdinalIgnoreCase) ||
|
||||||
currentUsername.StartsWith("https://", StringComparison.OrdinalIgnoreCase);
|
currentUsername.StartsWith("https://", StringComparison.OrdinalIgnoreCase))
|
||||||
|
{
|
||||||
|
comparer = StringComparer.Ordinal;
|
||||||
|
}
|
||||||
|
|
||||||
if (!string.Equals(requestToken.Username,
|
if (!comparer.Equals(requestToken.Username, currentUsername))
|
||||||
currentUsername,
|
|
||||||
(useCaseSensitiveUsernameComparison) ?
|
|
||||||
StringComparison.Ordinal :
|
|
||||||
StringComparison.OrdinalIgnoreCase))
|
|
||||||
{
|
{
|
||||||
throw new InvalidOperationException(
|
throw new InvalidOperationException(
|
||||||
Resources.FormatAntiforgeryToken_UsernameMismatch(requestToken.Username, currentUsername));
|
Resources.FormatAntiforgeryToken_UsernameMismatch(requestToken.Username, currentUsername));
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue