On Tue, Dec 9, 2008 at 12:13 PM, Marc Worrell <[EMAIL PROTECTED]> wrote: >> Is there a realistic threat here? > > I can see a possible scenario where all of the following conditions are > true: > > 1. The provider trusts the consumer completely (ie doesn't do any checks > apart from the OAuth signature) > 2. The provider performs instructions supplied in the request body (a > programme script oid) > 3. The consumer is tricked into sending a (say) programme script assuming it > is a raw text or image > 4. The Content-Type header is changed in transit and the provider now > receives a programme script instead of a text (or image)
This assumes someone has built an application that relies on HTTP headers to make security critical decisions about the semantics of a request. While it is certainly possible to write software that uses HTTP request headers that way, I haven't seen it done. Does anyone know of such systems being built in practice? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
