2005-09-23 Gonzalo Paniagua Javier <[email protected]>

	* System.Web.UI/Page.cs:
	* System.Web.UI/ViewStateOutputHashStream.cs:
	* System.Web.dll.sources: added support for viewstate MAC. It prevents
	the viewstate being altered on the client and it's disabled by default
	as per the documentation, but MS machine.config has it enabled in
	machine.config.


svn path=/trunk/mcs/; revision=50567

mcs/class/System.Web/System.Web.UI/ChangeLog

@@ -1,3 +1,11 @@
+2005-09-23 Gonzalo Paniagua Javier <[email protected]>
+
+	* Page.cs:
+	* ViewStateOutputHashStream.cs: added support for viewstate MAC. It
+	prevents the viewstate being altered on the client and it's disabled
+	by default as per the documentation, but MS machine.config has it
+	enabled in machine.config.
+
 2005-09-22  Miguel de Icaza  <[email protected]>
 
 	* DataBindingCollection.cs: Raise the event, remove MonoTODO.

mcs/class/System.Web/System.Web.UI/Page.cs

@@ -37,12 +37,14 @@ using System.ComponentModel.Design;
 using System.ComponentModel.Design.Serialization;
 using System.Globalization;
 using System.IO;
+using System.Security.Cryptography;
 using System.Security.Permissions;
 using System.Security.Principal;
 using System.Text;
 using System.Threading;
 using System.Web;
 using System.Web.Caching;
+using System.Web.Configuration;
 using System.Web.SessionState;
 using System.Web.Util;
 using System.Web.UI.HtmlControls;
@@ -97,6 +99,7 @@ public class Page : TemplateControl, IHttpHandler
 	protected const string postEventArgumentID = "__EVENTARGUMENT";
 	[EditorBrowsable (EditorBrowsableState.Never)]
 	protected const string postEventSourceID = "__EVENTTARGET";
+	const int HASH_SIZE = 16;
 
 #if NET_2_0
 	internal const string CallbackArgumentID = "__CALLBACKARGUMENT";
@@ -765,10 +768,19 @@ public class Page : TemplateControl, IHttpHandler
 	{
 		if (_savedViewState == null)
 			return null;
-		StringWriter sr = new StringWriter ();
+
 		LosFormatter fmt = new LosFormatter ();
-		fmt.Serialize (sr, _savedViewState);
-		return sr.GetStringBuilder ().ToString ();
+		PagesConfiguration config = PagesConfiguration.GetInstance (_context);
+		if (false == config.EnableViewStateMac) {
+			StringWriter sr = new StringWriter ();
+			fmt.Serialize (sr, _savedViewState);
+			return sr.GetStringBuilder ().ToString ();
+		}
+
+		ViewStateOutputHashStream stream;
+		stream = new ViewStateOutputHashStream (new MemoryStream (HASH_SIZE), GetTypeHashCode ());
+		fmt.Serialize (stream, _savedViewState);
+		return stream.GetBase64String ();
 	}
 
 	internal object GetSavedViewState ()
@@ -1139,12 +1151,43 @@ public class Page : TemplateControl, IHttpHandler
 			return null;
 
 		_savedViewState = null;
+		if (view_state == "")
+			return null;
+
 		LosFormatter fmt = new LosFormatter ();
+		PagesConfiguration config = PagesConfiguration.GetInstance (_context);
+		if (false == config.EnableViewStateMac) {
+			try {
+				_savedViewState = fmt.Deserialize (view_state);
+			} catch (Exception e) {
+				throw new HttpException ("Error restoring page viewstate.", e);
+			}
+		} else {
+			byte [] bytes = Convert.FromBase64String (view_state);
+			int length = bytes.Length;
+			if (length < HASH_SIZE)
+				throw new HttpException ("Error restoring page viewstate.");
+
+			int data_end = length - HASH_SIZE;
+			MemoryStream input = new MemoryStream ();
+			input.Write (BitConverter.GetBytes (GetTypeHashCode ()), 0, 4);
+			input.Write (bytes, 0, data_end);
+			input.Position = 0;
+			CryptoStream cs = new CryptoStream (input, SHA1.Create (), CryptoStreamMode.Read);
+			byte [] computed_hash = new byte [HASH_SIZE];
+			cs.Read (computed_hash, 0, HASH_SIZE);
+			for (int i = 0; i < HASH_SIZE; i++) {
+				if (computed_hash [i] != bytes [data_end + i])
+					throw new HttpException ("Error restoring page viewstate.");
+			}
+
 
-		try { 
-			_savedViewState = fmt.Deserialize (view_state);
-		} catch (Exception e) {
-			throw new HttpException ("Error restoring page viewstate.\n", e);
+			try {
+				input = new MemoryStream (bytes, 0, data_end, false, false);
+				_savedViewState = fmt.Deserialize (input);
+			} catch (Exception e) {
+				throw new HttpException ("Error restoring page viewstate.", e);
+			}
 		}
 
 		return _savedViewState;

mcs/class/System.Web/System.Web.UI/ViewStateOutputHashStream.cs

@@ -0,0 +1,63 @@
+//
+// System.Web.UI.ViewStateOutputHashStream
+//
+// Authors:
+//   Gonzalo Paniagua ([email protected])
+//
+// Copyright (c) 2005 Novell, Inc (http://www.novell.com)
+//
+// Permission is hereby granted, free of charge, to any person obtaining
+// a copy of this software and associated documentation files (the
+// "Software"), to deal in the Software without restriction, including
+// without limitation the rights to use, copy, modify, merge, publish,
+// distribute, sublicense, and/or sell copies of the Software, and to
+// permit persons to whom the Software is furnished to do so, subject to
+// the following conditions:
+// 
+// The above copyright notice and this permission notice shall be
+// included in all copies or substantial portions of the Software.
+// 
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+// LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+//
+
+using System;
+using System.IO;
+using System.Security.Cryptography;
+
+namespace System.Web.UI {
+	class ViewStateOutputHashStream : CryptoStream {
+		MemoryStream hash;
+		MemoryStream data;
+
+		public ViewStateOutputHashStream (MemoryStream ms, int seed) :
+			base (ms, SHA1.Create (), CryptoStreamMode.Write)
+		{
+			this.hash = ms;
+			this.data = new MemoryStream ();
+			base.Write (BitConverter.GetBytes (seed), 0, 4);
+		}
+
+		public override void Write (byte[] buffer, int offset, int count)
+		{
+			data.Write (buffer, offset, count);
+			base.Write (buffer, offset, count);
+		}
+
+		public string GetBase64String ()
+		{
+			FlushFinalBlock ();
+			if (data.Length == 0)
+				return null;
+
+			data.Write (hash.GetBuffer (), 0, (int) hash.Length);
+			return Convert.ToBase64String (data.GetBuffer (), 0, (int) data.Length);
+		}
+	}
+}
+

mcs/class/System.Web/System.Web.dll.sources

@@ -488,6 +488,7 @@ System.Web.UI/ValidatorCollection.cs
 System.Web.UI/VerificationConditionalOperator.cs
 System.Web.UI/VerificationReportLevel.cs
 System.Web.UI/VerificationRule.cs
+System.Web.UI/ViewStateOutputHashStream.cs
 System.Web.UI.WebControls.Adapters/DataBoundControlAdapter.cs
 System.Web.UI.WebControls.Adapters/HideDisabledControlAdapter.cs
 System.Web.UI.WebControls.Adapters/HierarchicalDataBoundControlAdapter.cs