This repository has been archived by the owner on May 10, 2019. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bug 793579: check issuer for primary-address operations.
When "primary" addresses (which come from browserid-aware IdPs) are associated with a Persona account, users can perform certain operations (including add_email) with a primary-backed assertion. This changes primary.verifyAssertion(), which checks such assertions, to make sure their .issuer field is actually allowed to speak for the address in question. delegatesAuthority() was taught about proxyIDPs and g_shim_cache. This shouldn't affect normal operations (which never have g_shim_cache), but allows proxy-idp-test.js to pass. A pre-existing bug (which ran the callback multiple times) was fixed too, to keep bigtent from breaking. A unit test was added, exercising /wsapi/add_email_with_assertion. This works by creating a cert (signed by one domain), and certifying a principal at an unrelated domain. Anyone who accepts certs should reject this.
- Loading branch information
Showing
2 changed files
with
98 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters