Tuesday, April 13, 2010

DotNetOpenAuth v3.4.3 released

DotNetOpenAuth has just seen a minor release to v3.4.3.  Fixes center around corner case interoperability issues that cause a very small percentage (<0.5%) of OpenID users to be unable to log into your relying party web sites.  A few other random fixes as well. 

Go download it now.

The OpenID “dot bug”

The most noteworthy fix was a very difficult one to pull off, namely the bug where OpenIDs with trailing dots being unsupported.  Back in the 1990s, classic ASP had the infamous “dot bug” where a trailing dot appended to a URL path would reveal the source code of the server-side script, which was a fatal security hole that was (of course) patched.  I think that this might have inspired the .NET Framework’s Uri class design to include automatically removing trailing dots from each path segment in a Uri instance.  Since FAT and NTFS file systems don’t support trailing dots on filenames, this doesn’t cause any issue if the web is run by Windows file systems. 

But when these URLs are actually OpenIDs, and those OpenIDs contain path segments that are base64 encoded where one of the two assignable characters is a period (ala Yahoo’s pseudonymous OpenIDs), then approximately 1.5% of base64-encoded OpenIDs have trailing periods.  So what’s the problem?  When an OpenID positive assertion comes into an OpenID relying party web site based on .NET with a claimed_id that ends with a period, .NET will quietly strip the period from the claimed_id, causing the login to fail or (arguably worse) to succeed but with OpenID discovery misdirected to the wrong URL (one where the trailing dot is stripped). 

The .NET Framework provides no (supported) way to turn off this dot-stripping behavior.  If your relying party web site is running with Full Trust you can set some internal flags using reflection to suppress the behavior, but it has some nasty side-effects.  If you’re on medium trust, you’re sunk.

But I’m pleased to say that DotNetOpenAuth has a solution, handling both medium and full trust, that is as good as the .NET Framework will allow until a fix in the platform is made.  I won’t bore you with all the gory details on this post, but suffice it to say, that if you just download and use the new version, you’ll be working with OpenIDs even with trailing dots.  Phew.