diff options
author | Jessica Tallon <tsyesika@tsyesika.se> | 2015-12-20 01:11:31 +0000 |
---|---|---|
committer | Christopher Allan Webber <cwebber@dustycloud.org> | 2015-12-19 22:16:00 -0600 |
commit | 86ee2d1a0e9057e26add65807191fc28b0eec568 (patch) | |
tree | 6e0038a80eeaf7d2a242a9281779fd7bcff5c2cd /mediagoblin/oauth/oauth.py | |
parent | 6e38fec80ebaadc3b3cfdc912f40cc4e8bb9b31c (diff) | |
download | mediagoblin-86ee2d1a0e9057e26add65807191fc28b0eec568.tar.lz mediagoblin-86ee2d1a0e9057e26add65807191fc28b0eec568.tar.xz mediagoblin-86ee2d1a0e9057e26add65807191fc28b0eec568.zip |
Fix security issue in OAuth verifier validation
Diffstat (limited to 'mediagoblin/oauth/oauth.py')
-rw-r--r-- | mediagoblin/oauth/oauth.py | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/mediagoblin/oauth/oauth.py b/mediagoblin/oauth/oauth.py index c7951734..4a7f25c2 100644 --- a/mediagoblin/oauth/oauth.py +++ b/mediagoblin/oauth/oauth.py @@ -100,6 +100,17 @@ class GMGRequestValidator(RequestValidator): return True + def validate_verifier(self, token, verifier): + """ Verifies the verifier token is correct. """ + request_token = RequestToken.query.filter_by(token=token).first() + if request_token is None: + return False + + if request_token.verifier != verifier: + return False + + return True + def validate_access_token(self, client_key, token, request): """ Verifies token exists for client with id of client_key """ client = Client.query.filter_by(id=client_key).first() |