[Bug 22108] Restricting OpenID using $wgOpenIDConsumerAllow can be bypassed
https://bugzilla.wikimedia.org/show_bug.cgi?id=22108 Craig Box changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution||FIXED --- Comment #4 from Craig Box 2010-02-09 16:25:47 UTC --- Tests OK for me. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 22108] Restricting OpenID using $wgOpenIDConsumerAllow can be bypassed
https://bugzilla.wikimedia.org/show_bug.cgi?id=22108 Sergey Chernyshev changed: What|Removed |Added Status|NEW |ASSIGNED --- Comment #3 from Sergey Chernyshev 2010-01-27 20:36:47 UTC --- I applied it in r61601 to current trunk. Please test it - I didn't have time to set up testing environment for this problem, unfortunately. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 22108] Restricting OpenID using $wgOpenIDConsumerAllow can be bypassed
https://bugzilla.wikimedia.org/show_bug.cgi?id=22108 --- Comment #2 from Craig Box 2010-01-27 09:48:08 UTC --- Created an attachment (id=7031) --> (https://bugzilla.wikimedia.org/attachment.cgi?id=7031) Security fix for issue 22108 Here is the patch. Note, I am now checking identity_url rather than displayIdentifier; the user can set the display identifier, so you shouldn't ever check it (e.g. I could set up a provider to give out the ID http://badprovider.com/me but the display identifier set to http://impersonatedprovider.com/you. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 22108] Restricting OpenID using $wgOpenIDConsumerAllow can be bypassed
https://bugzilla.wikimedia.org/show_bug.cgi?id=22108 --- Comment #1 from Craig Box 2010-01-15 16:53:23 UTC --- Andrew Arnott from DotNetOpenAuth has explained the situation to me here. In summary, the RP library should stop the "ID issued in any name" case, by signature verification, so the only thing we need to do is check that the assertion is acceptable with the code above. However, we shouldn't be checking the display identifier, which can be set to whatever you want - we should be checking the identity_url. See http://openidenabled.com/files/php-openid/docs/2.1.3/OpenID/Auth_OpenID_ConsumerResponse.html. Patch forthcoming... -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
