Issue 148 in oauth-php: SQL bug (with fix) in PostgreSQL Store checkServerNonce method
18 views
Skip to first unread message
oaut...@googlecode.com
Apr 20, 2015, 12:03:38 PM4/20/15
to oauth-ph...@googlegroups.com
Status: New
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 148 by colmw...@gmail.com: SQL bug (with fix) in PostgreSQL Store
checkServerNonce method
https://code.google.com/p/oauth-php/issues/detail?id=148
What steps will reproduce the problem?
1. Using the PostgreSQL store, replay a request using an already used nonce.
What is the expected output? What do you see instead?
Expected:
AuthException2 [ Error ]: Duplicate timestamp/nonce combination, possible
replay attack. Request rejected.
Actual:
ERROR: duplicate key value violates unique
constraint "oauth_server_nonce_osn_consumer_key_osn_token_osn_timestamp_key"
What version of the product are you using? On what operating system?
Version 175, OS: FreeBSD 10.1, PHP 5.4.29, Postgresql 9.3.4
Please provide any additional information below.
Replace lines 1616-1624 of library/store/OAuthStorePostgreSQL.php with the
following code to fix the issue:
$this->query('
INSERT INTO oauth_server_nonce (
osn_consumer_key,
osn_token,
osn_timestamp,
osn_nonce
)
SELECT \'%s\', \'%s\', %d, \'%s\'
WHERE NOT EXISTS (
SELECT 1 FROM oauth_server_nonce
WHERE osn_consumer_key = \'%s\'
AND osn_token = \'%s\'
AND osn_timestamp = %d
AND osn_nonce = \'%s\'
)',
$consumer_key, $token, $timestamp, $nonce,
$consumer_key, $token, $timestamp, $nonce);
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 148 by colmw...@gmail.com: SQL bug (with fix) in PostgreSQL Store
checkServerNonce method
https://code.google.com/p/oauth-php/issues/detail?id=148
What steps will reproduce the problem?
1. Using the PostgreSQL store, replay a request using an already used nonce.
What is the expected output? What do you see instead?
Expected:
AuthException2 [ Error ]: Duplicate timestamp/nonce combination, possible
replay attack. Request rejected.
Actual:
ERROR: duplicate key value violates unique
constraint "oauth_server_nonce_osn_consumer_key_osn_token_osn_timestamp_key"
What version of the product are you using? On what operating system?
Version 175, OS: FreeBSD 10.1, PHP 5.4.29, Postgresql 9.3.4
Please provide any additional information below.
Replace lines 1616-1624 of library/store/OAuthStorePostgreSQL.php with the
following code to fix the issue:
$this->query('
INSERT INTO oauth_server_nonce (
osn_consumer_key,
osn_token,
osn_timestamp,
osn_nonce
)
SELECT \'%s\', \'%s\', %d, \'%s\'
WHERE NOT EXISTS (
SELECT 1 FROM oauth_server_nonce
WHERE osn_consumer_key = \'%s\'
AND osn_token = \'%s\'
AND osn_timestamp = %d
AND osn_nonce = \'%s\'
)',
$consumer_key, $token, $timestamp, $nonce,
$consumer_key, $token, $timestamp, $nonce);
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
Reply all
Reply to author
Forward
0 new messages