From 3ad16722828ad351e1bfd2ace2718d3e0008c677 Mon Sep 17 00:00:00 2001 From: Emily Stark Date: Mon, 21 Apr 2014 14:20:24 -0700 Subject: [PATCH 1/6] Fix open redirector in oauth1 login flow. Clients are no longer allowed to specify callback URLs. --- History.md | 6 ++++++ packages/oauth1/oauth1_server.js | 6 ++++-- packages/twitter/twitter_client.js | 7 +------ 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/History.md b/History.md index ea5b25a44f..2fc9926153 100644 --- a/History.md +++ b/History.md @@ -1,5 +1,11 @@ ## v.NEXT +## v0.8.0.1 + +* Fix security flaw in OAuth1 implementation. Clients can no longer + choose the callback_url for OAuth1 logins. + + ## v0.8.0 Meteor 0.8.0 introduces Blaze, a total rewrite of our live templating engine, diff --git a/packages/oauth1/oauth1_server.js b/packages/oauth1/oauth1_server.js index 6a61fbd6c7..c01b32a654 100644 --- a/packages/oauth1/oauth1_server.js +++ b/packages/oauth1/oauth1_server.js @@ -16,13 +16,15 @@ Oauth._requestHandlers['1'] = function (service, query, res) { if (query.requestTokenAndRedirect) { // step 1 - get and store a request token + var callbackUrl = Meteor.absoluteUrl("_oauth/twitter?close&state=" + + query.state); // Get a request token to start auth process - oauthBinding.prepareRequestToken(query.requestTokenAndRedirect); + oauthBinding.prepareRequestToken(callbackUrl); // Keep track of request token so we can verify it on the next step requestTokens[query.state] = { - requestToken: oauthBinding.requestToken, + requestToken: oauthBinding.requestToken, requestTokenSecret: oauthBinding.requestTokenSecret }; diff --git a/packages/twitter/twitter_client.js b/packages/twitter/twitter_client.js index c8ca6fd44e..d2d919a51b 100644 --- a/packages/twitter/twitter_client.js +++ b/packages/twitter/twitter_client.js @@ -23,14 +23,9 @@ Twitter.requestCredential = function (options, credentialRequestCompleteCallback // a credentialToken parameter to the url and the callback url that we'll be returned // to by oauth provider - // url back to app, enters "step 2" as described in - // packages/accounts-oauth1-helper/oauth1_server.js - var callbackUrl = Meteor.absoluteUrl('_oauth/twitter?close&state=' + credentialToken); - // url to app, enters "step 1" as described in // packages/accounts-oauth1-helper/oauth1_server.js - var loginUrl = '/_oauth/twitter/?requestTokenAndRedirect=' - + encodeURIComponent(callbackUrl) + var loginUrl = '/_oauth/twitter/?requestTokenAndRedirect=true' + '&state=' + credentialToken; Oauth.showPopup( From dd7c90d3aebbb376364288a8b602226e40d7396c Mon Sep 17 00:00:00 2001 From: Emily Stark Date: Mon, 21 Apr 2014 14:47:00 -0700 Subject: [PATCH 2/6] Update docs and examples --- docs/.meteor/release | 2 +- docs/lib/release-override.js | 2 +- examples/clock/.meteor/release | 2 +- examples/leaderboard/.meteor/release | 2 +- examples/parties/.meteor/release | 2 +- examples/todos/.meteor/release | 2 +- examples/wordplay/.meteor/release | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/.meteor/release b/docs/.meteor/release index 6b184fbe05..16d0489698 100644 --- a/docs/.meteor/release +++ b/docs/.meteor/release @@ -1 +1 @@ -0.8.0-rc3 +0.8.0.1-rc1 diff --git a/docs/lib/release-override.js b/docs/lib/release-override.js index b99159cbf3..6ca2e658be 100644 --- a/docs/lib/release-override.js +++ b/docs/lib/release-override.js @@ -1,5 +1,5 @@ // While galaxy apps are on their own special meteor releases, override // Meteor.release here. if (Meteor.isClient) { - Meteor.release = Meteor.release ? "0.7.2" : undefined; + Meteor.release = Meteor.release ? "0.8.0.1" : undefined; } diff --git a/examples/clock/.meteor/release b/examples/clock/.meteor/release index 621e94f0ec..16d0489698 100644 --- a/examples/clock/.meteor/release +++ b/examples/clock/.meteor/release @@ -1 +1 @@ -none +0.8.0.1-rc1 diff --git a/examples/leaderboard/.meteor/release b/examples/leaderboard/.meteor/release index 7486fdbc50..16d0489698 100644 --- a/examples/leaderboard/.meteor/release +++ b/examples/leaderboard/.meteor/release @@ -1 +1 @@ -0.7.2 +0.8.0.1-rc1 diff --git a/examples/parties/.meteor/release b/examples/parties/.meteor/release index 7486fdbc50..16d0489698 100644 --- a/examples/parties/.meteor/release +++ b/examples/parties/.meteor/release @@ -1 +1 @@ -0.7.2 +0.8.0.1-rc1 diff --git a/examples/todos/.meteor/release b/examples/todos/.meteor/release index 7486fdbc50..16d0489698 100644 --- a/examples/todos/.meteor/release +++ b/examples/todos/.meteor/release @@ -1 +1 @@ -0.7.2 +0.8.0.1-rc1 diff --git a/examples/wordplay/.meteor/release b/examples/wordplay/.meteor/release index 7486fdbc50..16d0489698 100644 --- a/examples/wordplay/.meteor/release +++ b/examples/wordplay/.meteor/release @@ -1 +1 @@ -0.7.2 +0.8.0.1-rc1 From 41d36b671a2bbe3538b353738b2186607c3024c7 Mon Sep 17 00:00:00 2001 From: Emily Stark Date: Mon, 21 Apr 2014 14:50:56 -0700 Subject: [PATCH 3/6] Update banner text --- scripts/admin/banner.txt | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/scripts/admin/banner.txt b/scripts/admin/banner.txt index cb26735a33..92f42a493e 100644 --- a/scripts/admin/banner.txt +++ b/scripts/admin/banner.txt @@ -1,7 +1,4 @@ -=> Meteor 0.8.0: Introducing Blaze, Meteor's new live templating engine! - Better integration with jQuery plugins, fine-grained updates, - reactive SVG support, and more! - https://github.com/meteor/meteor/wiki/Using-Blaze +=> Meteor 0.8.0.1: Fix security problem in Twitter OAuth flow. This release is being downloaded in the background. Update your - project to Meteor 0.8.0 by running 'meteor update'. + project to Meteor 0.8.0.1 by running 'meteor update'. From 700673592ce95fdcc8faea4302a7308ad9a8763e Mon Sep 17 00:00:00 2001 From: Emily Stark Date: Mon, 21 Apr 2014 14:51:59 -0700 Subject: [PATCH 4/6] Update notices --- scripts/admin/notices.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/admin/notices.json b/scripts/admin/notices.json index a0374986de..2a6e4d880f 100644 --- a/scripts/admin/notices.json +++ b/scripts/admin/notices.json @@ -111,6 +111,9 @@ "http://madewith.meteor.com/ no longer supports app badges."] } }, + { + "release": "0.8.0.1" + }, { "release": "NEXT" } From 0e5e38f0066f3b85a3e3264ea6e0fc7c299982c1 Mon Sep 17 00:00:00 2001 From: Emily Stark Date: Mon, 21 Apr 2014 15:21:25 -0700 Subject: [PATCH 5/6] Update docs and examples to 0.8.0.1 --- docs/.meteor/release | 2 +- examples/clock/.meteor/release | 2 +- examples/leaderboard/.meteor/release | 2 +- examples/parties/.meteor/release | 2 +- examples/todos/.meteor/release | 2 +- examples/wordplay/.meteor/release | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/.meteor/release b/docs/.meteor/release index 16d0489698..4b324f2d8f 100644 --- a/docs/.meteor/release +++ b/docs/.meteor/release @@ -1 +1 @@ -0.8.0.1-rc1 +0.8.0.1 diff --git a/examples/clock/.meteor/release b/examples/clock/.meteor/release index 16d0489698..4b324f2d8f 100644 --- a/examples/clock/.meteor/release +++ b/examples/clock/.meteor/release @@ -1 +1 @@ -0.8.0.1-rc1 +0.8.0.1 diff --git a/examples/leaderboard/.meteor/release b/examples/leaderboard/.meteor/release index 16d0489698..4b324f2d8f 100644 --- a/examples/leaderboard/.meteor/release +++ b/examples/leaderboard/.meteor/release @@ -1 +1 @@ -0.8.0.1-rc1 +0.8.0.1 diff --git a/examples/parties/.meteor/release b/examples/parties/.meteor/release index 16d0489698..4b324f2d8f 100644 --- a/examples/parties/.meteor/release +++ b/examples/parties/.meteor/release @@ -1 +1 @@ -0.8.0.1-rc1 +0.8.0.1 diff --git a/examples/todos/.meteor/release b/examples/todos/.meteor/release index 16d0489698..4b324f2d8f 100644 --- a/examples/todos/.meteor/release +++ b/examples/todos/.meteor/release @@ -1 +1 @@ -0.8.0.1-rc1 +0.8.0.1 diff --git a/examples/wordplay/.meteor/release b/examples/wordplay/.meteor/release index 16d0489698..4b324f2d8f 100644 --- a/examples/wordplay/.meteor/release +++ b/examples/wordplay/.meteor/release @@ -1 +1 @@ -0.8.0.1-rc1 +0.8.0.1 From 25e3428132ea29293f9bb283c3dc58e6f075c275 Mon Sep 17 00:00:00 2001 From: Emily Stark Date: Mon, 21 Apr 2014 15:21:53 -0700 Subject: [PATCH 6/6] Add 0.7.2.1 to notices --- scripts/admin/notices.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/admin/notices.json b/scripts/admin/notices.json index 2a6e4d880f..3d232543db 100644 --- a/scripts/admin/notices.json +++ b/scripts/admin/notices.json @@ -94,6 +94,9 @@ { "release": "0.7.2" }, + { + "release": "0.7.2.1" + }, { "release": "0.8.0", "notices": [