From 37201062e1233ee6cb4627016303e40d1ad3fa4a Mon Sep 17 00:00:00 2001 From: David Glasser Date: Mon, 8 Oct 2012 20:53:30 -0700 Subject: [PATCH] Only allow users to configure login services that are actually part of the app. (Well, and services with names like "registerLoginHandler", but whatever.) This prevents this attack: - Alice launches site with Facebook login - Mallory sends configureLoginService method to configure the Twitter service - Alice runs "meteor add accounts-twitter" and is impressed that Twitter integration Just Works with no configuration - Now the app is using Mallory's credentials --- packages/accounts-base/accounts_server.js | 10 +++++++--- packages/accounts-ui-unstyled/login_buttons_dialogs.js | 2 +- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/packages/accounts-base/accounts_server.js b/packages/accounts-base/accounts_server.js index e25af05544..95fa5b113a 100644 --- a/packages/accounts-base/accounts_server.js +++ b/packages/accounts-base/accounts_server.js @@ -260,10 +260,14 @@ // to this collection are also allowed in insecure mode. Meteor.methods({ "configureLoginService": function(options) { - if (!Accounts.configuration.findOne({service: options.service})) - Accounts.configuration.insert(options); - else + // Don't let random users configure a service we haven't added yet (so + // that when we do later add it, it's set up with their configuration + // instead of ours). + if (!Accounts[options.service]) + throw new Meteor.Error(403, "Service unknown"); + if (Accounts.configuration.findOne({service: options.service})) throw new Meteor.Error(403, "Service " + options.service + " already configured"); + Accounts.configuration.insert(options); } }); diff --git a/packages/accounts-ui-unstyled/login_buttons_dialogs.js b/packages/accounts-ui-unstyled/login_buttons_dialogs.js index d113e085d7..47fa8e8641 100644 --- a/packages/accounts-ui-unstyled/login_buttons_dialogs.js +++ b/packages/accounts-ui-unstyled/login_buttons_dialogs.js @@ -170,7 +170,7 @@ // Configure this login service Meteor.call("configureLoginService", configuration, function (error, result) { if (error) - Meteor._debug("Error configurating login service " + serviceName, error); + Meteor._debug("Error configuring login service " + serviceName, error); else loginButtonsSession.set('configureLoginServiceDialogVisible', false); });