Utkarsh Gupta <guptautkarsh2...@gmail.com> writes:

> Just a quick question about this patch since I haven't really tested
> this at all (however aware of the CVE),
> Is checking signature before sending a request to openid.claimed_id URL
> strict enough?

Yes, that is my understanding. If the signature is checked, that makes
it impossible for a third party to change the claimed_id URL, rendering
the attack impossible.

I don't claim to be an expert on this however.
-- 
Brian May <b...@debian.org>

Reply via email to