[SHINDIG-1505] PHP: Possible OAuth Access Token Leak when using the built in OAuthFetcher to issue OAuth secured proxied requests - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.0.3
Component/s: PHP
Labels:
None

Description

In OAuthFetcher the storage key to save an access token that has been fetched for an proxied requests that is secured through OAuth includes the current owner id. This means that this access token will be accessable for all viewers visiting the gadget instance of this owner and could possible use this access token to make operations at the target API in behalf of the owner.

To prevent it the storage key should include the viewer id instead.

Attachments

Activity

People

Assignee:: Bastian Hofmann

Reporter:: Bastian Hofmann

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 10/Feb/11 15:06

Updated:: 10/Feb/11 15:10

Resolved:: 10/Feb/11 15:10