From 86ee2d1a0e9057e26add65807191fc28b0eec568 Mon Sep 17 00:00:00 2001 From: Jessica Tallon Date: Sun, 20 Dec 2015 01:11:31 +0000 Subject: [PATCH] Fix security issue in OAuth verifier validation --- mediagoblin/oauth/oauth.py | 11 +++++++++++ mediagoblin/oauth/views.py | 10 ++++++++++ 2 files changed, 21 insertions(+) diff --git a/mediagoblin/oauth/oauth.py b/mediagoblin/oauth/oauth.py index c7951734..4a7f25c2 100644 --- a/mediagoblin/oauth/oauth.py +++ b/mediagoblin/oauth/oauth.py @@ -100,6 +100,17 @@ class GMGRequestValidator(RequestValidator): return True + def validate_verifier(self, token, verifier): + """ Verifies the verifier token is correct. """ + request_token = RequestToken.query.filter_by(token=token).first() + if request_token is None: + return False + + if request_token.verifier != verifier: + return False + + return True + def validate_access_token(self, client_key, token, request): """ Verifies token exists for client with id of client_key """ client = Client.query.filter_by(id=client_key).first() diff --git a/mediagoblin/oauth/views.py b/mediagoblin/oauth/views.py index 1b4787d6..14ad1fac 100644 --- a/mediagoblin/oauth/views.py +++ b/mediagoblin/oauth/views.py @@ -337,6 +337,16 @@ def access_token(request): request.resource_owner_key = parsed_tokens["oauth_consumer_key"] request.oauth_token = parsed_tokens["oauth_token"] request_validator = GMGRequestValidator(data) + + # Check that the verifier is valid + verifier_valid = request_validator.validate_verifier( + token=request.oauth_token, + verifier=parsed_tokens["oauth_verifier"] + ) + if not verifier_valid: + error = "Verifier code or token incorrect" + return json_response({"error": error}, status=401) + av = AccessTokenEndpoint(request_validator) tokens = av.create_access_token(request, {}) return form_response(tokens) -- 2.25.1