aboutsummaryrefslogtreecommitdiffstats
path: root/mediagoblin/oauth/oauth.py
diff options
context:
space:
mode:
authorJessica Tallon <tsyesika@tsyesika.se>2015-12-20 01:11:31 +0000
committerChristopher Allan Webber <cwebber@dustycloud.org>2015-12-19 22:16:00 -0600
commit86ee2d1a0e9057e26add65807191fc28b0eec568 (patch)
tree6e0038a80eeaf7d2a242a9281779fd7bcff5c2cd /mediagoblin/oauth/oauth.py
parent6e38fec80ebaadc3b3cfdc912f40cc4e8bb9b31c (diff)
downloadmediagoblin-86ee2d1a0e9057e26add65807191fc28b0eec568.tar.lz
mediagoblin-86ee2d1a0e9057e26add65807191fc28b0eec568.tar.xz
mediagoblin-86ee2d1a0e9057e26add65807191fc28b0eec568.zip
Fix security issue in OAuth verifier validation
Diffstat (limited to 'mediagoblin/oauth/oauth.py')
-rw-r--r--mediagoblin/oauth/oauth.py11
1 files changed, 11 insertions, 0 deletions
diff --git a/mediagoblin/oauth/oauth.py b/mediagoblin/oauth/oauth.py
index c7951734..4a7f25c2 100644
--- a/mediagoblin/oauth/oauth.py
+++ b/mediagoblin/oauth/oauth.py
@@ -100,6 +100,17 @@ class GMGRequestValidator(RequestValidator):
return True
+ def validate_verifier(self, token, verifier):
+ """ Verifies the verifier token is correct. """
+ request_token = RequestToken.query.filter_by(token=token).first()
+ if request_token is None:
+ return False
+
+ if request_token.verifier != verifier:
+ return False
+
+ return True
+
def validate_access_token(self, client_key, token, request):
""" Verifies token exists for client with id of client_key """
client = Client.query.filter_by(id=client_key).first()