Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Duplicate nonce check on Server.verify_request() #129

Closed
edevil opened this issue Feb 4, 2013 · 4 comments
Closed

Duplicate nonce check on Server.verify_request() #129

edevil opened this issue Feb 4, 2013 · 4 comments
Labels

Comments

@edevil
Copy link

@edevil edevil commented Feb 4, 2013

I've noticed that the nonce check in Server.verify_request() has been removed from the original oauth lib. Is there a reason for this?

@weevilgenius

This comment has been minimized.

Copy link

@weevilgenius weevilgenius commented Mar 29, 2013

While the title of this issue is a little misleading, @edevil is correct. The current implementation does not verify the nonce value in any way, which is a security hole.

@edevil

This comment has been minimized.

Copy link
Author

@edevil edevil commented May 10, 2013

Unfortunately, it seems this module is unmaintained.

@setharnold

This comment has been minimized.

Copy link

@setharnold setharnold commented Sep 12, 2013

This has been assigned CVE-2013-4346. Please see http://www.openwall.com/lists/oss-security/2013/09/12/7 for details.

@jaitaiwan

This comment has been minimized.

Copy link
Contributor

@jaitaiwan jaitaiwan commented Jul 29, 2015

Closing this as master has a fix merged today.

@jaitaiwan jaitaiwan closed this Jul 29, 2015
@jaitaiwan jaitaiwan added the Security label Jul 29, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.