Andreas Kohn created SHINDIG-1945:
-------------------------------------
Summary: OAuth authorize.jsp handles form submission results
incorrectly
Key: SHINDIG-1945
URL: https://issues.apache.org/jira/browse/SHINDIG-1945
Project: Shindig
Issue Type: Bug
Components: Java
Affects Versions: 2.5.0-update1
Reporter: Andreas Kohn
Attachments: SHINDIG-xxxx-oauth-authorize.jsp-broken.diff
Found while reading through the sources: authorize.jsp is used for presenting a
user with a dialog whether he wants to authorize an OAuth client for accessing
his content.
The dialog form contains two 'submit' buttons, both named 'Authorize', one
giving the value 'Authorize', the other giving the value 'Deny'.
The JSP however doesn't check for the *specific value*, but instead checks
whether the request contains *any value* for either the 'Authorize' or 'Deny'
parameter. There is no input named 'Deny', and the 'Authorize' parameter will
be set to non-null for both 'Authorize' and 'Deny' answers of the user.
See attached patch.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
