// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
-#if NET_2_0
+
+#if NET_2_0 && SECURITY_DEP
+
using System.Collections;
using System.Collections.Specialized;
using System.Globalization;
}
static char [] separators = new char [] { ' ' };
- // From WebRequestMethods.Http
+
+#if false
static readonly string [] methods = new string [] { "GET", "POST", "HEAD",
"PUT", "CONNECT", "MKCOL" };
+#endif
internal void SetRequestLine (string req)
{
string [] parts = req.Split (separators, 3);
}
method = parts [0];
+ foreach (char c in method){
+ int ic = (int) c;
+
+ if ((ic >= 'A' && ic <= 'Z') ||
+ (ic >= 'a' && ic <= 'z') ||
+ (ic > 32 && c < 127 && c != '(' && c != ')' && c != '<' &&
+ c != '<' && c != '>' && c != '@' && c != ',' && c != ';' &&
+ c != ':' && c != '\\' && c != '"' && c != '/' && c != '[' &&
+ c != ']' && c != '?' && c != '=' && c != '{' && c != '}'))
+ continue;
+
+ context.ErrorMessage = "(Invalid verb)";
+ return;
+ }
+
+#if false
+ //
+ // According to bug #80504 we should allow any verbs to go
+ // through.
+ //
if (Array.IndexOf (methods, method) == -1) {
context.ErrorMessage = "Invalid request line (verb).";
return;
}
+#endif
raw_url = parts [1];
if (parts [2].Length != 8 || !parts [2].StartsWith ("HTTP/")) {
return;
}
- input_stream = context.Connection.GetRequestStream (is_chunked);
+ if (is_chunked || content_length > 0) {
+ input_stream = context.Connection.GetRequestStream (is_chunked, content_length);
+ }
+
if (Headers ["Expect"] == "100-continue") {
ResponseStream output = context.Connection.GetResponseStream ();
output.InternalWrite (_100continue, 0, _100continue.Length);