Fix security issue in OAuth verifier validation

author: Jessica Tallon <tsyesika@tsyesika.se> 2015-12-20 01:11:31 +0000
committer: Christopher Allan Webber <cwebber@dustycloud.org> 2015-12-19 22:16:00 -0600
commit: 86ee2d1a0e9057e26add65807191fc28b0eec568 (patch)
tree: 6e0038a80eeaf7d2a242a9281779fd7bcff5c2cd /mediagoblin/oauth/oauth.py
parent: 6e38fec80ebaadc3b3cfdc912f40cc4e8bb9b31c (diff)
download: mediagoblin-86ee2d1a0e9057e26add65807191fc28b0eec568.tar.lz
mediagoblin-86ee2d1a0e9057e26add65807191fc28b0eec568.tar.xz
mediagoblin-86ee2d1a0e9057e26add65807191fc28b0eec568.zip
1 files changed, 11 insertions, 0 deletions
diff --git a/mediagoblin/oauth/oauth.py b/mediagoblin/oauth/oauth.py
index c7951734..4a7f25c2 100644
--- a/mediagoblin/oauth/oauth.py
+++ b/mediagoblin/oauth/oauth.py
@@ -100,6 +100,17 @@ class GMGRequestValidator(RequestValidator):
 
         return True
 
+    def validate_verifier(self, token, verifier):
+        """ Verifies the verifier token is correct. """
+        request_token = RequestToken.query.filter_by(token=token).first()
+        if request_token is None:
+            return False
+
+        if request_token.verifier != verifier:
+            return False
+
+        return True
+
     def validate_access_token(self, client_key, token, request):
         """ Verifies token exists for client with id of client_key """
         client = Client.query.filter_by(id=client_key).first()
author	Jessica Tallon <tsyesika@tsyesika.se>	2015-12-20 01:11:31 +0000
committer	Christopher Allan Webber <cwebber@dustycloud.org>	2015-12-19 22:16:00 -0600
commit	86ee2d1a0e9057e26add65807191fc28b0eec568 (patch)
tree	6e0038a80eeaf7d2a242a9281779fd7bcff5c2cd /mediagoblin/oauth/oauth.py
parent	6e38fec80ebaadc3b3cfdc912f40cc4e8bb9b31c (diff)
download	mediagoblin-86ee2d1a0e9057e26add65807191fc28b0eec568.tar.lz mediagoblin-86ee2d1a0e9057e26add65807191fc28b0eec568.tar.xz mediagoblin-86ee2d1a0e9057e26add65807191fc28b0eec568.zip