commit 04245de5c480db5dff5983467f7a8606f1321ed6
Author: Marek Habersack <grendel@twistedcode.net>
Date: Tue Jul 24 18:49:34 2012 -0400
Fix for Novell bug #739119
diff --git a/mcs/class/System.Web/System.Web.Util/SecureHashCodeProvider.cs b/mcs/class/System.Web/System.Web.Util/SecureHashCodeProvider.cs
new file mode 100644
index 0000000..165022c
--- /dev/null
+++ b/mcs/class/System.Web/System.Web.Util/SecureHashCodeProvider.cs
@@ -0,0 +1,131 @@
+//
+// System.Collections.SecureHashCodeProvider.cs
+//
+// Authors:
+// Sergey Chaban (serge@wildwestsoftware.com)
+// Andreas Nahr (ClassDevelopment@A-SoftTech.com)
+// Sebastien Pouliot <sebastien@ximian.com>
+//
+// Copyright (C) 2004-2005 Novell, Inc (http://www.novell.com)
+// Copyright 2012 Xamarin, Inc (http://xamarin.com)
+//
+// Permission is hereby granted, free of charge, to any person obtaining
+// a copy of this software and associated documentation files (the
+// "Software"), to deal in the Software without restriction, including
+// without limitation the rights to use, copy, modify, merge, publish,
+// distribute, sublicense, and/or sell copies of the Software, and to
+// permit persons to whom the Software is furnished to do so, subject to
+// the following conditions:
+//
+// The above copyright notice and this permission notice shall be
+// included in all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+// LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+//
+using System;
+using System.Collections;
+using System.Globalization;
+
+namespace System.Web.Util
+{
+ class SecureHashCodeProvider : IHashCodeProvider
+ {
+ static readonly SecureHashCodeProvider singletonInvariant = new SecureHashCodeProvider (CultureInfo.InvariantCulture);
+ static SecureHashCodeProvider singleton;
+ static readonly object sync = new object ();
+ static readonly int seed;
+
+ TextInfo m_text; // must match MS name for serialization
+
+ public static SecureHashCodeProvider Default {
+ get {
+ lock (sync) {
+ if (singleton == null) {
+ singleton = new SecureHashCodeProvider ();
+ } else if (singleton.m_text == null) {
+ if (!AreEqual (CultureInfo.CurrentCulture, CultureInfo.InvariantCulture))
+ singleton = new SecureHashCodeProvider ();
+ } else if (!AreEqual (singleton.m_text, CultureInfo.CurrentCulture)) {
+ singleton = new SecureHashCodeProvider ();
+ }
+ return singleton;
+ }
+ }
+ }
+
+ public static SecureHashCodeProvider DefaultInvariant {
+ get { return singletonInvariant; }
+ }
+
+ static SecureHashCodeProvider ()
+ {
+ // It should be enough to fend off the attack described in
+ // https://bugzilla.novell.com/show_bug.cgi?id=739119
+ // In order to predict value of the seed, the attacker would have to know the exact time when
+ // the server process started and since it's a remote attack, this is next to impossible.
+ // Using milliseconds instead of ticks here would make it easier for the attackers since there
+ // would only be as many as 1000 possible values
+ seed = (int)DateTime.UtcNow.Ticks;
+ }
+
+ // Public instance constructor
+ public SecureHashCodeProvider ()
+ {
+ CultureInfo culture = CultureInfo.CurrentCulture;
+ if (!AreEqual (culture, CultureInfo.InvariantCulture))
+ m_text = CultureInfo.CurrentCulture.TextInfo;
+ }
+
+ public SecureHashCodeProvider (CultureInfo culture)
+ {
+ if (culture == null)
+ throw new ArgumentNullException ("culture");
+ if (!AreEqual (culture, CultureInfo.InvariantCulture))
+ m_text = culture.TextInfo;
+ }
+
+ static bool AreEqual (CultureInfo a, CultureInfo b)
+ {
+ return a.LCID == b.LCID;
+ }
+
+ static bool AreEqual (TextInfo info, CultureInfo culture)
+ {
+ return info.LCID == culture.LCID;
+ }
+
+ public int GetHashCode (object obj)
+ {
+ if (obj == null)
+ throw new ArgumentNullException ("obj");
+
+ string str = obj as string;
+
+ if (str == null)
+ return obj.GetHashCode ();
+
+ int h = seed;
+ char c;
+
+ if ((m_text != null) && !AreEqual (m_text, CultureInfo.InvariantCulture)) {
+ str = m_text.ToLower (str);
+ for (int i = 0; i < str.Length; i++) {
+ c = str [i];
+ h = h * 31 + c;
+ }
+ } else {
+ for (int i = 0; i < str.Length; i++) {
+ c = Char.ToLower (str [i], CultureInfo.InvariantCulture);
+ h = h * 31 + c;
+ }
+ }
+ return h;
+ }
+ }
+}
diff --git a/mcs/class/System.Web/System.Web.dll.sources b/mcs/class/System.Web/System.Web.dll.sources
index ca7745a..aa41fca 100644
--- a/mcs/class/System.Web/System.Web.dll.sources
+++ b/mcs/class/System.Web/System.Web.dll.sources
@@ -1174,6 +1174,7 @@ System.Web.Util/IWebPropertyAccessor.cs
System.Web.Util/MachineKeySectionUtils.cs
System.Web.Util/RuntimeHelpers.cs
System.Web.Util/SearchPattern.cs
+System.Web.Util/SecureHashCodeProvider.cs
System.Web.Util/SerializationHelper.cs
System.Web.Util/StrUtils.cs
System.Web.Util/TimeUtil.cs
diff --git a/mcs/class/System.Web/System.Web/WebROCollection.cs b/mcs/class/System.Web/System.Web/WebROCollection.cs
index ddb2e30..e1b98df 100644
--- a/mcs/class/System.Web/System.Web/WebROCollection.cs
+++ b/mcs/class/System.Web/System.Web/WebROCollection.cs
@@ -5,6 +5,7 @@
// Gonzalo Paniagua Javier (gonzalo@novell.com)
//
// (c) 2005-2009 Novell, Inc. (http://www.novell.com)
+// Copyright 2012 Xamarin, Inc (http://xamarin.com)
//
//
// Permission is hereby granted, free of charge, to any person obtaining
@@ -26,8 +27,10 @@
// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
+using System.Collections;
using System.Collections.Specialized;
using System.Text;
+using System.Web.Util;
namespace System.Web
{
@@ -36,7 +39,7 @@ namespace System.Web
bool got_id;
int id;
- public WebROCollection () : base (StringComparer.OrdinalIgnoreCase) { }
+ public WebROCollection () : base (SecureHashCodeProvider.DefaultInvariant, CaseInsensitiveComparer.DefaultInvariant) { }
public bool GotID {
get { return got_id; }
}
commit 049bb49f1c5b650166de2a266bc1879c5def0190
Author: Marek Habersack <grendel@twistedcode.net>
Date: Wed Jul 25 08:42:09 2012 -0400
Update to fix for Novell bug #739119
diff --git a/mcs/class/System.Web/System.Web.UI/Page.cs b/mcs/class/System.Web/System.Web.UI/Page.cs
index 989af7e..b2316a4 100644
--- a/mcs/class/System.Web/System.Web.UI/Page.cs
+++ b/mcs/class/System.Web/System.Web.UI/Page.cs
@@ -1175,7 +1175,7 @@ public partial class Page : TemplateControl, IHttpHandler
void ProcessPostData (NameValueCollection data, bool second)
{
- NameValueCollection requestValues = _requestValueCollection == null ? new NameValueCollection () : _requestValueCollection;
+ NameValueCollection requestValues = _requestValueCollection == null ? new NameValueCollection (SecureHashCodeProvider.DefaultInvariant, CaseInsensitiveComparer.DefaultInvariant) : _requestValueCollection;
if (data != null && data.Count > 0) {
var used = new Dictionary <string, string> (StringComparer.Ordinal);
@@ -1210,7 +1210,7 @@ public partial class Page : TemplateControl, IHttpHandler
} else if (!second) {
if (secondPostData == null)
- secondPostData = new NameValueCollection ();
+ secondPostData = new NameValueCollection (SecureHashCodeProvider.DefaultInvariant, CaseInsensitiveComparer.DefaultInvariant);
secondPostData.Add (id, data [id]);
}
}
distrib
>
Mageia
>
3
>
x86_64
>
media
>
core-updates-src
>
by-pkgid
>
47e44445d1a43191c90ea49fb6218314
>
files
>
3
