[OAuth2] Don't send unnecessary modhash to OAuth clients

2026-04-27 03:00:12 -04:00 · 2014-04-14 11:16:46 -07:00
parent 4150c399ee
commit d6848c8d14
1 changed files with 5 additions and 0 deletions
--- a/r2/r2/models/account.py
+++ b/r2/r2/models/account.py
@@ -273,6 +273,11 @@ class Account(Thing):
        return not g.disable_captcha and self.link_karma < 1

    def modhash(self, rand=None, test=False):
+        if c.oauth_user:
+            # OAuth clients should never receive a modhash of any kind
+            # as they could use it in a CSRF attack to bypass their
+            # permitted OAuth scopes.
+            return None
        return modhash(self, rand = rand, test = test)
    
    def valid_hash(self, hash):