diff options
| author | Jessica Tallon <tsyesika@tsyesika.se> | 2015-12-20 01:11:31 +0000 |
|---|---|---|
| committer | Christopher Allan Webber <cwebber@dustycloud.org> | 2015-12-19 22:16:00 -0600 |
| commit | 86ee2d1a0e9057e26add65807191fc28b0eec568 (patch) | |
| tree | 6e0038a80eeaf7d2a242a9281779fd7bcff5c2cd | |
| parent | 6e38fec80ebaadc3b3cfdc912f40cc4e8bb9b31c (diff) | |
| download | mediagoblin-86ee2d1a0e9057e26add65807191fc28b0eec568.tar.lz mediagoblin-86ee2d1a0e9057e26add65807191fc28b0eec568.tar.xz mediagoblin-86ee2d1a0e9057e26add65807191fc28b0eec568.zip | |
Fix security issue in OAuth verifier validation
| -rw-r--r-- | mediagoblin/oauth/oauth.py | 11 | ||||
| -rw-r--r-- | mediagoblin/oauth/views.py | 10 |
2 files changed, 21 insertions, 0 deletions
diff --git a/mediagoblin/oauth/oauth.py b/mediagoblin/oauth/oauth.py index c7951734..4a7f25c2 100644 --- a/mediagoblin/oauth/oauth.py +++ b/mediagoblin/oauth/oauth.py @@ -100,6 +100,17 @@ class GMGRequestValidator(RequestValidator): return True + def validate_verifier(self, token, verifier): + """ Verifies the verifier token is correct. """ + request_token = RequestToken.query.filter_by(token=token).first() + if request_token is None: + return False + + if request_token.verifier != verifier: + return False + + return True + def validate_access_token(self, client_key, token, request): """ Verifies token exists for client with id of client_key """ client = Client.query.filter_by(id=client_key).first() diff --git a/mediagoblin/oauth/views.py b/mediagoblin/oauth/views.py index 1b4787d6..14ad1fac 100644 --- a/mediagoblin/oauth/views.py +++ b/mediagoblin/oauth/views.py @@ -337,6 +337,16 @@ def access_token(request): request.resource_owner_key = parsed_tokens["oauth_consumer_key"] request.oauth_token = parsed_tokens["oauth_token"] request_validator = GMGRequestValidator(data) + + # Check that the verifier is valid + verifier_valid = request_validator.validate_verifier( + token=request.oauth_token, + verifier=parsed_tokens["oauth_verifier"] + ) + if not verifier_valid: + error = "Verifier code or token incorrect" + return json_response({"error": error}, status=401) + av = AccessTokenEndpoint(request_validator) tokens = av.create_access_token(request, {}) return form_response(tokens) |