The OAuth SP changes I mentioned below are applicable to code that is
only in trunk, not in 1.0.x
On Apr 29, 2009, at 1:11 AM, Ian Boston wrote:
Is the 1.0.x branch vulnerable ?
Should we release with it in?
Ian
On 29 Apr 2009, at 08:31, Paul Lindner wrote:
On Apr 28, 2009, at 12:14 PM, Brian Eaton wrote:
I'm going to be prototyping a fix for the OAuth session fixation
attack in Shindig. There is no new OAuth spec yet, but there are
proposals that we should try to validate.
I'm focusing on the outbound OAuth support for now. If somebody
(Paul?) wants to jump into the OAuth SP code that would be great.
Otherwise I'll probably end up doing it to validate the outbound
stuff.
I already committed some fixes for this in SHINDIG-1027.
Specifically:
* Track OAuth protocol version and callback in OAuth Entry
* Add the ability to 'Disable' or 'Remove' an OAuth Entry
* Allow callback to be specified during request token phase instead
of authorize.
* Disable request token if attempt is made to convert to an access
token before requesting the authorization page.
http://svn.apache.org/viewvc?view=rev&revision=767835
Here's a design doc for the fix for the outbound code:
http://cwiki.apache.org/confluence/display/SHINDIG/OAuthSessionFixationAttack
Very well done!
