Fix security issue in OAuth verifier validation

diff --git a/mediagoblin/oauth/oauth.py b/mediagoblin/oauth/oauth.py
index c7951734c9fb39916d117e748f3adba8df23ca76..4a7f25c2030af271604338dc47adc23fb06c488b 100644 (file)
--- a/mediagoblin/oauth/oauth.py
+++ b/mediagoblin/oauth/oauth.py
@@ -100,6 +100,17 @@ class GMGRequestValidator(RequestValidator):
 
         return True
 
+    def validate_verifier(self, token, verifier):
+        """ Verifies the verifier token is correct. """
+        request_token = RequestToken.query.filter_by(token=token).first()
+        if request_token is None:
+            return False
+
+        if request_token.verifier != verifier:
+            return False
+
+        return True
+
     def validate_access_token(self, client_key, token, request):
         """ Verifies token exists for client with id of client_key """
         client = Client.query.filter_by(id=client_key).first()

diff --git a/mediagoblin/oauth/views.py b/mediagoblin/oauth/views.py
index 1b4787d6d90b133780868aca71ec1a06b8c8a181..14ad1faceab841f845a7059026b0b544eb9f02de 100644 (file)
--- a/mediagoblin/oauth/views.py
+++ b/mediagoblin/oauth/views.py
@@ -337,6 +337,16 @@ def access_token(request):
     request.resource_owner_key = parsed_tokens["oauth_consumer_key"]
     request.oauth_token = parsed_tokens["oauth_token"]
     request_validator = GMGRequestValidator(data)
+
+    # Check that the verifier is valid
+    verifier_valid = request_validator.validate_verifier(
+        token=request.oauth_token,
+        verifier=parsed_tokens["oauth_verifier"]
+    )
+    if not verifier_valid:
+        error = "Verifier code or token incorrect"
+        return json_response({"error": error}, status=401)
+
     av = AccessTokenEndpoint(request_validator)
     tokens = av.create_access_token(request, {})
     return form_response(tokens)