david / django-oauth (http://oauth.net/)
Support of OAuth in Django. Note that http://code.welldev.org/django-oauth-plus will use python-oauth2 if you're interested in it.
| commit 43: | 4ec55f467733 |
| parent 42: | 02962bee73ef |
| branch: | default |
This is a STRONGLY recommended update.
The issue, found by Matthieu Huguet, comes from Token/Consumer.generate_random_codes functions which test the key AND secret combination and not key OR secret. This is not a security issue because stores.DataStore.lookup_consumer/lookup_token tries to retrieve the token with an objects.get so it will raise a model.MultipleObjectsReturned error in case there are two similar keys. But you must be careful if you have customized the store.
Please contact me (http://larlet.com) if you'd like to be added to the django-oauth-security mailing-list for future security announcements.
11 months ago
Changed (Δ144 bytes):
raw changeset »
oauth_provider/models.py (4 lines added, 2 lines removed)
Up to file-list oauth_provider/models.py:
| … | … | @@ -53,7 +53,8 @@ class Consumer(models.Model): |
53 |
53 |
""" |
54 |
54 |
key = generate_random(length=KEY_SIZE) |
55 |
55 |
secret = generate_random(length=SECRET_SIZE) |
56 |
while Consumer.objects.filter( |
|
56 |
while Consumer.objects.filter(models.Q(key__exact=key) | models.Q(secret__exact=secret)).count(): |
|
57 |
key = generate_random(length=KEY_SIZE) |
|
57 |
58 |
secret = generate_random(length=SECRET_SIZE) |
58 |
59 |
self.key = key |
59 |
60 |
self.secret = secret |
| … | … | @@ -107,7 +108,8 @@ class Token(models.Model): |
107 |
108 |
""" |
108 |
109 |
key = generate_random(length=KEY_SIZE) |
109 |
110 |
secret = generate_random(length=SECRET_SIZE) |
110 |
while Token.objects.filter( |
|
111 |
while Token.objects.filter(models.Q(key__exact=key) | models.Q(secret__exact=secret)).count(): |
|
112 |
key = generate_random(length=KEY_SIZE) |
|
111 |
113 |
secret = generate_random(length=SECRET_SIZE) |
112 |
114 |
self.key = key |
113 |
115 |
self.secret = secret |