My favorites | Sign in
Logo
Project Home
  
Downloads
  
Wiki
  
Issues
  
Source
    
New issue | Search
for
| Advanced search | Search tips
Issue 72: Sending Expect: 100-Continue header breaks HTTP/1.0 Providers
2 people starred this issue and may be notified of changes. Back to list
Status:  Fixed
Owner:  andrewarnott
Closed:  Apr 2008
Type-Interop
Priority-Medium
Release-2.0


Sign in to add a comment
 
Reported by derigel, Apr 27, 2008 
What steps will reproduce the problem?
Login using OpenID account from openid.yandex.ru

What is the expected output? What do you see instead?
Expect login but get error 'The OpenId Provider responded with unrecognized
HTTP status code ExpectationFailed'.

What version of the product are you using? On what operating system?
Using DotNetOpenId-2.0.1.8115 on Windows Vista Ultimate x64.

Please provide any additional information below.
Error status (417) means that server doesn't support 'Expect' header which
sends .NET Webrequest. Since post data is pretty small in  OpenID request
necessary always send data without sending 'Expect: 100-Continue' header.
Patch is attached.
0003-Don-t-send-Expect-HTTP-header-in-web-request.patch
1.1 KB   Download
Comment 1 by andrewarnott, Apr 27, 2008 
Thanks for this report. 

I believe HTTP/1.1 supports this header and HTTP/1.0 does not, although to this point
I thought unsupported HTTP headers were supposed to be ignored.  

Thanks for the patch.  I haven't reviewed it yet but your explanation sounds good.
Summary: Sending Expect: 100-Continue header breaks HTTP/1.0 Providers
Labels: -Type-Defect Type-Interop
Comment 2 by andrewarnott, Apr 27, 2008 
The patch appears to permanently change the behavior of the ServicePoint, which means
that anyone can permanently alter the way your web site makes requests for any host
by simply entering that host name as an OpenID at your log in box.  

I'm experimenting with other ways of dropping the header that does not introduce this
security problem.
Comment 3 by andrewarnott, Apr 27, 2008 
I have a potential fix, but I'm having difficulty testing it because I can't read the
language on the openid.yandex.ru site enough to create an account to test with.
Can you give me a Claimed Identifier I can test with? I don't even need the
credentials associated with it as I don't need to complete authentication.  I just
need the identifier itself.

Thanks.
Status: Started
Owner: andrewarnott
Labels: Release-1.0
Comment 4 by derigel, Apr 27, 2008 
You can use derigel.ya.ru
Comment 5 by andrewarnott, Apr 27, 2008 
Fixed in v2.0, v2.1, and master branches.
Status: Fixed
Labels: -Release-1.0 Release-2.0
Comment 6 by andrewarnott, Apr 27, 2008 
Thank you for your report.
Sign in to add a comment

Hosted by Google Code