GNUsocial
/
gnu-social
4
0
Fork 1
Code Issues Releases Wiki Activity

get rid of callback nonce 

darcs-hash:20080602201707-84dde-400855b57fcf01e597494143cc78092351043b91.gz
This commit is contained in:
Evan Prodromou 2008-06-02 16:17:07 -04:00
parent 7b24d101c0
commit e103c8b6ea
2 changed files with 7 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
actions/finishremotesubscribe.php
View File

@ -33,14 +33,7 @@ class FinishremotesubscribeAction extends Action {
return; return;
} }
$nonce = $this->trimmed('nonce'); $omb = $_SESSION['oauth_authorization_request'];
if (!$omb) {
common_user_error(_t('No nonce returned!'));
return;
}
$omb = $_SESSION[$nonce];
if (!$omb) { if (!$omb) {
common_user_error(_t('Not expecting this response!')); common_user_error(_t('Not expecting this response!'));
@ -173,7 +166,7 @@ class FinishremotesubscribeAction extends Action {
} }
# Clear the data # Clear the data
unset($_SESSION[$nonce]); unset($_SESSION['oauth_authorization_request']);
# If we show subscriptions in reverse chron order, this should # If we show subscriptions in reverse chron order, this should
# show up close to the top of the page # show up close to the top of the page
@ -187,7 +180,7 @@ class FinishremotesubscribeAction extends Action {
$con = omb_oauth_consumer(); $con = omb_oauth_consumer();
$tok = new OAuthToken($omb['token'], $omb['secret']); $tok = new OAuthToken($omb['token'], $omb['secret']);
$url = $omb[OAUTH_ENDPOINT_ACCESS][0]; $url = omb_service_uri($omb[OAUTH_ENDPOINT_ACCESS]);
# XXX: Is this the right thing to do? Strip off GET params and make them # XXX: Is this the right thing to do? Strip off GET params and make them
# POST params? Seems wrong to me. # POST params? Seems wrong to me.

9
actions/remotesubscribe.php
View File

@ -336,10 +336,9 @@ class RemotesubscribeAction extends Action {
$req->set_parameter('omb_listenee_avatar', $avatar->url); $req->set_parameter('omb_listenee_avatar', $avatar->url);
} }
$nonce = $this->make_nonce(); # XXX: add a nonce to prevent replay attacks
$req->set_parameter('oauth_callback', common_local_url('finishremotesubscribe', $req->set_parameter('oauth_callback', common_local_url('finishremotesubscribe'));
array('nonce' => $nonce)));
# XXX: test to see if endpoint accepts this signature method # XXX: test to see if endpoint accepts this signature method
@ -351,7 +350,7 @@ class RemotesubscribeAction extends Action {
$omb['token'] = $token; $omb['token'] = $token;
$omb['secret'] = $secret; $omb['secret'] = $secret;
$_SESSION[$nonce] = $omb; $_SESSION['oauth_authorization_request'] = $omb;
# Redirect to authorization service # Redirect to authorization service