On 10/10/19 11:23 am, Brian May wrote: > Utkarsh Gupta <[email protected]> writes: > >> Just a quick question about this patch since I haven't really tested >> this at all (however aware of the CVE), >> Is checking signature before sending a request to openid.claimed_id URL >> strict enough? > Yes, that is my understanding. If the signature is checked, that makes > it impossible for a third party to change the claimed_id URL, rendering > the attack impossible. > > I don't claim to be an expert on this however.
I had a few pointers, but since this is already uploaded, I'll raise this in upstream first and then get back if needed. Thank you for taking care of this. Best, Utkarsh
signature.asc
Description: OpenPGP digital signature
