Merge branch 'master' into devel

Conflicts: History.md packages/oauth1/oauth1_server.js
2026-05-02 03:01:46 -04:00 · 2014-04-21 15:29:31 -07:00
parent 8c38550315 f016894e7b
commit b6501d4ebe
12 changed files with 26 additions and 19 deletions
--- a/History.md
+++ b/History.md
@@ -29,6 +29,13 @@
  - Node.js from 0.10.25 to 0.10.26.
  - MongoDB driver from 1.3.19 to 1.4.1

+
+## v0.8.0.1
+
+* Fix security flaw in OAuth1 implementation. Clients can no longer
+  choose the callback_url for OAuth1 logins.
+
+
 ## v0.8.0

 Meteor 0.8.0 introduces Blaze, a total rewrite of our live templating engine,
--- a/docs/.meteor/release
+++ b/docs/.meteor/release
@@ -1 +1 @@
-0.8.0
+0.8.0.1
--- a/docs/lib/release-override.js
+++ b/docs/lib/release-override.js
@@ -1,5 +1,5 @@
 // While galaxy apps are on their own special meteor releases, override
 // Meteor.release here.
 if (Meteor.isClient) {
-  Meteor.release = Meteor.release ? "0.8.0" : undefined;
+  Meteor.release = Meteor.release ? "0.8.0.1" : undefined;
 }
--- a/examples/clock/.meteor/release
+++ b/examples/clock/.meteor/release
@@ -1 +1 @@
-0.8.0
+0.8.0.1
--- a/examples/leaderboard/.meteor/release
+++ b/examples/leaderboard/.meteor/release
@@ -1 +1 @@
-0.8.0
+0.8.0.1
--- a/examples/parties/.meteor/release
+++ b/examples/parties/.meteor/release
@@ -1 +1 @@
-0.8.0
+0.8.0.1
--- a/examples/todos/.meteor/release
+++ b/examples/todos/.meteor/release
@@ -1 +1 @@
-0.8.0
+0.8.0.1
--- a/examples/wordplay/.meteor/release
+++ b/examples/wordplay/.meteor/release
@@ -1 +1 @@
-0.8.0
+0.8.0.1
--- a/packages/oauth1/oauth1_server.js
+++ b/packages/oauth1/oauth1_server.js
@@ -11,9 +11,11 @@ Oauth._requestHandlers['1'] = function (service, query, res) {

  if (query.requestTokenAndRedirect) {
    // step 1 - get and store a request token
+    var callbackUrl = Meteor.absoluteUrl("_oauth/twitter?close&state=" +
+                                         query.state);

    // Get a request token to start auth process
-    oauthBinding.prepareRequestToken(query.requestTokenAndRedirect);
+    oauthBinding.prepareRequestToken(callbackUrl);

    // Keep track of request token so we can verify it on the next step
    Oauth._storeRequestToken(query.state,
--- a/packages/twitter/twitter_client.js
+++ b/packages/twitter/twitter_client.js
@@ -24,14 +24,9 @@ Twitter.requestCredential = function (options, credentialRequestCompleteCallback
  // a credentialToken parameter to the url and the callback url that we'll be returned
  // to by oauth provider

-  // url back to app, enters "step 2" as described in
-  // packages/accounts-oauth1-helper/oauth1_server.js
-  var callbackUrl = Meteor.absoluteUrl('_oauth/twitter?close&state=' + credentialToken);
-
  // url to app, enters "step 1" as described in
  // packages/accounts-oauth1-helper/oauth1_server.js
-  var loginUrl = '/_oauth/twitter/?requestTokenAndRedirect='
-        + encodeURIComponent(callbackUrl)
+  var loginUrl = '/_oauth/twitter/?requestTokenAndRedirect=true'
        + '&state=' + credentialToken;

  Oauth.showPopup(
--- a/scripts/admin/banner.txt
+++ b/scripts/admin/banner.txt
@@ -1,7 +1,4 @@
-=> Meteor 0.8.0: Introducing Blaze, Meteor's new live templating engine!
-   Better integration with jQuery plugins, fine-grained updates,
-   reactive SVG support, and more!
-   https://github.com/meteor/meteor/wiki/Using-Blaze
+=> Meteor 0.8.0.1: Fix security problem in Twitter OAuth flow.

   This release is being downloaded in the background. Update your
-   project to Meteor 0.8.0 by running 'meteor update'.
+   project to Meteor 0.8.0.1 by running 'meteor update'.
--- a/scripts/admin/notices.json
+++ b/scripts/admin/notices.json
@@ -94,6 +94,9 @@
  {
    "release": "0.7.2"
  },
+  {
+    "release": "0.7.2.1"
+  },
  {
    "release": "0.8.0",
    "notices": [
@@ -111,6 +114,9 @@
                   "http://madewith.meteor.com/ no longer supports app badges."]
    }
  },
+  {
+    "release": "0.8.0.1"
+  },
  {
    "release": "NEXT"
  }
@@ -1 +1 @@
 .8.0
 .8.0.1