Author: bhofmann
Date: Thu Feb 10 15:10:30 2011
New Revision: 1069418
URL: http://svn.apache.org/viewvc?rev=1069418&view=rev
Log:
SHINDIG-1505: Fixed Possible OAuth Access Token Leak when using the built in
OAuthFetcher to issue OAuth secured proxied requests
Modified:
shindig/trunk/php/src/gadgets/oauth/OAuthFetcher.php
Modified: shindig/trunk/php/src/gadgets/oauth/OAuthFetcher.php
URL:
http://svn.apache.org/viewvc/shindig/trunk/php/src/gadgets/oauth/OAuthFetcher.php?rev=1069418&r1=1069417&r2=1069418&view=diff
==============================================================================
--- shindig/trunk/php/src/gadgets/oauth/OAuthFetcher.php (original)
+++ shindig/trunk/php/src/gadgets/oauth/OAuthFetcher.php Thu Feb 10 15:10:30
2011
@@ -227,10 +227,11 @@ class OAuthFetcher extends RemoteContent
$tokenKey->setAppId($this->authToken->getAppId());
$tokenKey->setServiceName($this->requestParams->getServiceName());
$tokenKey->setTokenName($this->requestParams->getTokenName());
- // At some point we might want to let gadgets specify whether to use OAuth
- // for the owner, the viewer, or someone else. For now always using the
- // owner identity seems reasonable.
- $tokenKey->setUserId($this->authToken->getOwnerId());
+ // We should always use the current viewer id as a token key. Using the
owner id
+ // would mean, that a private access token (with possible write access to
the api)
+ // could be accessable to other viewers that are visiting the gadget of
another
+ // owner
+ $tokenKey->setUserId($this->authToken->getViewerId());
return $tokenKey;
}
