[
https://issues.apache.org/jira/browse/SHINDIG-1505?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bastian Hofmann resolved SHINDIG-1505.
--------------------------------------
Resolution: Fixed
> PHP: Possible OAuth Access Token Leak when using the built in OAuthFetcher to
> issue OAuth secured proxied requests
> ------------------------------------------------------------------------------------------------------------------
>
> Key: SHINDIG-1505
> URL: https://issues.apache.org/jira/browse/SHINDIG-1505
> Project: Shindig
> Issue Type: Bug
> Components: PHP
> Reporter: Bastian Hofmann
> Assignee: Bastian Hofmann
> Fix For: 2.0.3
>
>
> In OAuthFetcher the storage key to save an access token that has been fetched
> for an proxied requests that is secured through OAuth includes the current
> owner id. This means that this access token will be accessable for all
> viewers visiting the gadget instance of this owner and could possible use
> this access token to make operations at the target API in behalf of the owner.
> To prevent it the storage key should include the viewer id instead.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
