Permalink
Browse files

Fix open redirector in oauth1 login flow.

Clients are no longer allowed to specify callback URLs.
  • Loading branch information...
1 parent 172f709 commit 3ad16722828ad351e1bfd2ace2718d3e0008c677 Emily Stark committed Apr 21, 2014
Showing with 11 additions and 8 deletions.
  1. +6 −0 History.md
  2. +4 −2 packages/oauth1/oauth1_server.js
  3. +1 −6 packages/twitter/twitter_client.js
View
@@ -1,5 +1,11 @@
## v.NEXT
+## v0.8.0.1
+
+* Fix security flaw in OAuth1 implementation. Clients can no longer
+ choose the callback_url for OAuth1 logins.
+
+
## v0.8.0
Meteor 0.8.0 introduces Blaze, a total rewrite of our live templating engine,
@@ -16,13 +16,15 @@ Oauth._requestHandlers['1'] = function (service, query, res) {
if (query.requestTokenAndRedirect) {
// step 1 - get and store a request token
+ var callbackUrl = Meteor.absoluteUrl("_oauth/twitter?close&state=" +
+ query.state);
// Get a request token to start auth process
- oauthBinding.prepareRequestToken(query.requestTokenAndRedirect);
+ oauthBinding.prepareRequestToken(callbackUrl);
// Keep track of request token so we can verify it on the next step
requestTokens[query.state] = {
- requestToken: oauthBinding.requestToken,
+ requestToken: oauthBinding.requestToken,
requestTokenSecret: oauthBinding.requestTokenSecret
};
@@ -23,14 +23,9 @@ Twitter.requestCredential = function (options, credentialRequestCompleteCallback
// a credentialToken parameter to the url and the callback url that we'll be returned
// to by oauth provider
- // url back to app, enters "step 2" as described in
- // packages/accounts-oauth1-helper/oauth1_server.js
- var callbackUrl = Meteor.absoluteUrl('_oauth/twitter?close&state=' + credentialToken);
-
// url to app, enters "step 1" as described in
// packages/accounts-oauth1-helper/oauth1_server.js
- var loginUrl = '/_oauth/twitter/?requestTokenAndRedirect='
- + encodeURIComponent(callbackUrl)
+ var loginUrl = '/_oauth/twitter/?requestTokenAndRedirect=true'
+ '&state=' + credentialToken;
Oauth.showPopup(

0 comments on commit 3ad1672

Please sign in to comment.