oauthclient: cross-site request forgery fix
20edecca740c
Actions

Authored by Lars Holm Nielsen <lars.holm.nielsen@cern.ch> on Jan 30 2015, 10:30.

Description

oauthclient: cross-site request forgery fix

Fixes a CSRF issue in oauthclient in which the next parameter to "/oauth/login/app/?next=" could be used by an attacker to redirect the end-user to an external URL.

Adds use of OAuth 2.0 state parameter for all oauthclients for further CSRF protection.

Reported-by: rcpeters <info@rcpeters.com>
Signed-off-by: Lars Holm Nielsen <lars.holm.nielsen@cern.ch>

Committed

Lars Holm Nielsen <lars.holm.nielsen@cern.ch>

Jan 30 2015, 11:17

Parents

Branches

Unknown

Tags

Unknown

Lars Holm Nielsen <lars.holm.nielsen@cern.ch> committed R3600:20edecca740c: oauthclient: cross-site request forgery fix (authored by Lars Holm Nielsen <lars.holm.nielsen@cern.ch>).Jan 30 2015, 11:17

				Path
	M			invenio/modules/oauthclient/config.py
	M			invenio/modules/oauthclient/contrib/orcid.py
	M			invenio/modules/oauthclient/handlers.py
	P			invenio/modules/oauthclient/testsuite/test_forms.py Copied from invenio/testsuite/test_testsuite.py
	M			invenio/modules/oauthclient/testsuite/test_views.py
	M			invenio/modules/oauthclient/views/client.py
	M			invenio/utils/url.py