Paul,
:),
Thanks
Ian
On 29 Apr 2009, at 09:15, Paul Lindner wrote:
The OAuth SP changes I mentioned below are applicable to code that
is only in trunk, not in 1.0.x
On Apr 29, 2009, at 1:11 AM, Ian Boston wrote:
Is the 1.0.x branch vulnerable ?
Should we release with it in?
Ian
On 29 Apr 2009, at 08:31, Paul Lindner wrote:
On Apr 28, 2009, at 12:14 PM, Brian Eaton wrote:
I'm going to be prototyping a fix for the OAuth session fixation
attack in Shindig. There is no new OAuth spec yet, but there are
proposals that we should try to validate.
I'm focusing on the outbound OAuth support for now. If somebody
(Paul?) wants to jump into the OAuth SP code that would be great.
Otherwise I'll probably end up doing it to validate the outbound
stuff.
I already committed some fixes for this in SHINDIG-1027.
Specifically:
* Track OAuth protocol version and callback in OAuth Entry
* Add the ability to 'Disable' or 'Remove' an OAuth Entry
* Allow callback to be specified during request token phase
instead of authorize.
* Disable request token if attempt is made to convert to an access
token before requesting the authorization page.
http://svn.apache.org/viewvc?view=rev&revision=767835
Here's a design doc for the fix for the outbound code:
http://cwiki.apache.org/confluence/display/SHINDIG/OAuthSessionFixationAttack
Very well done!
