ravenscroftj
/
micropub-flask-gitea
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

do not cache endpoints 

Caching these would have allowed a malicious or buggy
auth/token_endpoint combination to give you credentials for another
user's domain name.
This commit is contained in:
Kyle Mahan 2015-05-31 09:16:40 -07:00
parent 4d1f70b1e6
commit b714d8db93
3 changed files with 16 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
CHANGELOG.md
View File

@ -1,6 +1,17 @@
# Change Log # Change Log
All notable changes to this project will be documented in this file. All notable changes to this project will be documented in this file.
## 0.2.2
## Changed
- Fix vulnerability; re-discover the authorization_endpoint and
token_endpoint at each stage in the flow. Prevents a buggy or
malicious authorization_endpoint from giving you credentials for
another user's domain name.
## 0.2.1 - 2015-02-07
## Changed
- Updated setup.py, no functional changes
## 0.2.0 - 2015-02-07 ## 0.2.0 - 2015-02-07
### Changed ### Changed
- Started keeping a changelog! - Started keeping a changelog!

18
flask_micropub.py
View File

@ -121,10 +121,6 @@ class MicropubClient:
csrf_token = uuid.uuid4().hex csrf_token = uuid.uuid4().hex
flask.session['_micropub_csrf_token'] = csrf_token flask.session['_micropub_csrf_token'] = csrf_token
# save the endpoints so we don't have to scrape the target page again
# right awway
flask.session['_micropub_endpoints'] = (
auth_url, token_url, micropub_url)
auth_params = { auth_params = {
'me': me, 'me': me,
@ -165,6 +161,7 @@ class MicropubClient:
def _handle_authenticate_response(self): def _handle_authenticate_response(self):
code = flask.request.args.get('code') code = flask.request.args.get('code')
state = flask.request.args.get('state') state = flask.request.args.get('state')
me = flask.request.args.get('me')
redirect_uri = flask.url_for(flask.request.endpoint, _external=True) redirect_uri = flask.url_for(flask.request.endpoint, _external=True)
if state and '|' in state: if state and '|' in state:
@ -180,11 +177,7 @@ class MicropubClient:
return AuthResponse( return AuthResponse(
next_url=next_url, error='mismatched CSRF token') next_url=next_url, error='mismatched CSRF token')
if '_micropub_endpoints' in flask.session: auth_url = self._discover_endpoints(me)[0]
auth_url = flask.session['_micropub_endpoints'][0]
else:
auth_url = self._discover_endpoints(
flask.request.args.get('me'))[0]
if not auth_url: if not auth_url:
return AuthResponse( return AuthResponse(
@ -227,16 +220,13 @@ class MicropubClient:
authenticate_response = self._handle_authenticate_response() authenticate_response = self._handle_authenticate_response()
code = flask.request.args.get('code') code = flask.request.args.get('code')
state = flask.request.args.get('state') state = flask.request.args.get('state')
me = flask.request.args.get('me')
redirect_uri = flask.url_for(flask.request.endpoint, _external=True) redirect_uri = flask.url_for(flask.request.endpoint, _external=True)
if authenticate_response.error: if authenticate_response.error:
return authenticate_response return authenticate_response
if '_micropub_endpoints' in flask.session: token_url, micropub_url = self._discover_endpoints(me)[1:]
_, token_url, micropub_url = flask.session['_micropub_endpoints']
else:
_, token_url, micropub_url = self._discover_endpoints(
flask.request.args.get('me'))
if not token_url or not micropub_url: if not token_url or not micropub_url:
# successfully auth'ed user, no micropub endpoint # successfully auth'ed user, no micropub endpoint

2
setup.py
View File

@ -11,7 +11,7 @@ from setuptools import setup
setup( setup(
name='Flask-Micropub', name='Flask-Micropub',
version='0.2.0', version='0.2.2',
url='https://github.com/kylewm/flask-micropub/', url='https://github.com/kylewm/flask-micropub/',
license='BSD', license='BSD',
author='Kyle Mahan', author='Kyle Mahan',