PHP: Possible OAuth Access Token Leak when using the built in OAuthFetcher to
issue OAuth secured proxied requests
------------------------------------------------------------------------------------------------------------------
Key: SHINDIG-1505
URL: https://issues.apache.org/jira/browse/SHINDIG-1505
Project: Shindig
Issue Type: Bug
Components: PHP
Reporter: Bastian Hofmann
Assignee: Bastian Hofmann
Fix For: 2.0.3
In OAuthFetcher the storage key to save an access token that has been fetched
for an proxied requests that is secured through OAuth includes the current
owner id. This means that this access token will be accessable for all viewers
visiting the gadget instance of this owner and could possible use this access
token to make operations at the target API in behalf of the owner.
To prevent it the storage key should include the viewer id instead.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
