[tipfy] push by rodrigo.moraes - OpenID vulnerability fix as explained here - http://openid.net/2011/05... on 2011-07-18 11:17 GMT
ti...@googlecode.com
Author: Kapil Sachdeva <ksach...@gmail.com>
Date: Sat Jul 16 09:06:16 2011
Log: OpenID vulnerability fix as explained here -
http://openid.net/2011/05/05/attribute-exchange-security-alert/
http://code.google.com/p/tipfy/source/detail?r=5439d7669540
Modified:
/tipfy/auth/openid.py
=======================================
--- /tipfy/auth/openid.py Wed Mar 30 05:57:11 2011
+++ /tipfy/auth/openid.py Sat Jul 16 09:06:16 2011
@@ -203,8 +203,11 @@
user = {}
name_parts = []
+
+ openid_signed_params = self.request.args.get("openid.signed",
u'').split(',')
+
for name, uri in _ax_args:
- value = self._get_ax_arg(uri, ax_ns)
+ value = self._get_ax_arg(uri, ax_ns, openid_signed_params)
if value:
user[name] = value
if name in ('first_name', 'last_name'):
@@ -221,7 +224,7 @@
return callback(user)
- def _get_ax_arg(self, uri, ax_ns):
+ def _get_ax_arg(self, uri, ax_ns, openid_signed_params):
"""Returns an Attribute Exchange value from request.
:param uri:
@@ -237,6 +240,8 @@
prefix = 'openid.' + ax_ns + '.type.'
ax_name = None
for name, values in self.request.args.iterlists():
+ if not name[len("openid."):] in openid_signed_params:
+ continue
if values[-1] == uri and name.startswith(prefix):
part = name[len(prefix):]
ax_name = 'openid.' + ax_ns + '.value.' + part
@@ -244,6 +249,9 @@
if not ax_name:
return u''
+
+ if not ax_name[len("openid."):] in openid_signed_params:
+ return u''
return self.request.args.get(ax_name, u'')