[gnome-online-accounts] oauth2: Don't parse the DOM to detect access_denied

From: Debarshi Ray <debarshir src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-online-accounts] oauth2: Don't parse the DOM to detect access_denied
Date: Mon, 7 Oct 2013 14:25:35 +0000 (UTC)
commit 210f5b58028b7fa675e88778a8568c3e6a8afa2a
Author: Debarshi Ray <debarshir gnome org>
Date:   Mon Oct 7 16:14:58 2013 +0200

    oauth2: Don't parse the DOM to detect access_denied
    
    Compliant OAuth2 implementations should return access_denied if the
    user denied access through the embedded web view. We should look for
    this instead of parsing the DOM whenever possible, because DOMs are
    fragile and can be changed at will on the server-side.
    
    See 4.1.2.1 for more information on the error codes:
    https://tools.ietf.org/html/draft-ietf-oauth-v2-23
    
    Google, Facebook and Windows Live have compliant implementations.
    
    Fixes: https://bugzilla.gnome.org/709570

 src/goabackend/goafacebookprovider.c    |   21 +----------------
 src/goabackend/goagoogleprovider.c      |   21 +----------------
 src/goabackend/goaoauth2provider.c      |   37 +++++++++++++++++++++----------
 src/goabackend/goautils.h               |    2 +
 src/goabackend/goawindowsliveprovider.c |   21 +----------------
 5 files changed, 30 insertions(+), 72 deletions(-)
---
diff --git a/src/goabackend/goafacebookprovider.c b/src/goabackend/goafacebookprovider.c
index a73a4d5..e8e68cd 100644
--- a/src/goabackend/goafacebookprovider.c
+++ b/src/goabackend/goafacebookprovider.c
@@ -279,26 +279,7 @@ get_identity_sync (GoaOAuth2Provider  *provider,
 static gboolean
 is_deny_node (GoaOAuth2Provider *provider, WebKitDOMNode *node)
 {
-  WebKitDOMHTMLButtonElement *button_element;
-  gboolean ret;
-  gchar *name;
-
-  name = NULL;
-  ret = FALSE;
-
-  if (!WEBKIT_DOM_IS_HTML_BUTTON_ELEMENT (node))
-    goto out;
-
-  button_element = WEBKIT_DOM_HTML_BUTTON_ELEMENT (node);
-  name = webkit_dom_html_button_element_get_name (button_element);
-  if (g_strcmp0 (name, "cancel_clicked") != 0)
-    goto out;
-
-  ret = TRUE;
-
- out:
-  g_free (name);
-  return ret;
+  return FALSE;
 }
 
 static gboolean
diff --git a/src/goabackend/goagoogleprovider.c b/src/goabackend/goagoogleprovider.c
index bb9be1b..f6cfa2f 100644
--- a/src/goabackend/goagoogleprovider.c
+++ b/src/goabackend/goagoogleprovider.c
@@ -263,26 +263,7 @@ get_identity_sync (GoaOAuth2Provider  *provider,
 static gboolean
 is_deny_node (GoaOAuth2Provider *provider, WebKitDOMNode *node)
 {
-  WebKitDOMElement *element;
-  gboolean ret;
-  gchar *id;
-
-  id = NULL;
-  ret = FALSE;
-
-  if (!WEBKIT_DOM_IS_HTML_BUTTON_ELEMENT (node))
-    goto out;
-
-  element = WEBKIT_DOM_ELEMENT (node);
-  id = webkit_dom_element_get_id (element);
-  if (g_strcmp0 (id, "submit_deny_access") != 0)
-    goto out;
-
-  ret = TRUE;
-
- out:
-  g_free (id);
-  return ret;
+  return FALSE;
 }
 
 static gboolean
diff --git a/src/goabackend/goaoauth2provider.c b/src/goabackend/goaoauth2provider.c
index 132f66c..37c15ce 100644
--- a/src/goabackend/goaoauth2provider.c
+++ b/src/goabackend/goaoauth2provider.c
@@ -876,6 +876,7 @@ on_web_view_navigation_policy_decision_requested (WebKitWebView             *web
 {
   GoaOAuth2Provider *provider = GOA_OAUTH2_PROVIDER (user_data);
   GoaOAuth2ProviderPrivate *priv = provider->priv;
+  const gchar *oauth2_error;
   const gchar *redirect_uri;
   const gchar *requested_uri;
 
@@ -910,12 +911,18 @@ on_web_view_navigation_policy_decision_requested (WebKitWebView             *web
             }
           else
             {
-              g_set_error (&priv->error,
-                           GOA_ERROR,
-                           GOA_ERROR_NOT_AUTHORIZED,
-                           _("Authorization response was ‘%s’"),
-                           (const gchar *) g_hash_table_lookup (key_value_pairs, "error"));
-              gtk_dialog_response (priv->dialog, GTK_RESPONSE_CLOSE);
+              oauth2_error = (const gchar *) g_hash_table_lookup (key_value_pairs, "error");
+              if (g_strcmp0 (oauth2_error, GOA_OAUTH2_ACCESS_DENIED) == 0)
+                gtk_dialog_response (priv->dialog, GTK_RESPONSE_CANCEL);
+              else
+                {
+                  g_set_error (&priv->error,
+                               GOA_ERROR,
+                               GOA_ERROR_NOT_AUTHORIZED,
+                               _("Authorization response was ‘%s’"),
+                               oauth2_error);
+                  gtk_dialog_response (priv->dialog, GTK_RESPONSE_CLOSE);
+                }
             }
           g_hash_table_unref (key_value_pairs);
           webkit_web_policy_decision_ignore (policy_decision);
@@ -950,12 +957,18 @@ on_web_view_navigation_policy_decision_requested (WebKitWebView             *web
             }
           else
             {
-              g_set_error (&priv->error,
-                           GOA_ERROR,
-                           GOA_ERROR_NOT_AUTHORIZED,
-                           _("Authorization response was ‘%s’"),
-                           (const gchar *) g_hash_table_lookup (key_value_pairs, "error"));
-              gtk_dialog_response (priv->dialog, GTK_RESPONSE_CLOSE);
+              oauth2_error = (const gchar *) g_hash_table_lookup (key_value_pairs, "error");
+              if (g_strcmp0 (oauth2_error, GOA_OAUTH2_ACCESS_DENIED) == 0)
+                gtk_dialog_response (priv->dialog, GTK_RESPONSE_CANCEL);
+              else
+                {
+                  g_set_error (&priv->error,
+                               GOA_ERROR,
+                               GOA_ERROR_NOT_AUTHORIZED,
+                               _("Authorization response was ‘%s’"),
+                               oauth2_error);
+                  gtk_dialog_response (priv->dialog, GTK_RESPONSE_CLOSE);
+                }
             }
           g_hash_table_unref (key_value_pairs);
           webkit_web_policy_decision_ignore (policy_decision);
diff --git a/src/goabackend/goautils.h b/src/goabackend/goautils.h
index eb9af3b..82edd8a 100644
--- a/src/goabackend/goautils.h
+++ b/src/goabackend/goautils.h
@@ -34,6 +34,8 @@
 
 G_BEGIN_DECLS
 
+#define GOA_OAUTH2_ACCESS_DENIED "access_denied"
+
 typedef gpointer (*GoaPeekInterfaceFunc)   (GoaObject *);
 
 void             goa_utils_initialize_client_factory (void);
diff --git a/src/goabackend/goawindowsliveprovider.c b/src/goabackend/goawindowsliveprovider.c
index 19b91e8..a3d5aa2 100644
--- a/src/goabackend/goawindowsliveprovider.c
+++ b/src/goabackend/goawindowsliveprovider.c
@@ -265,26 +265,7 @@ get_identity_sync (GoaOAuth2Provider  *provider,
 static gboolean
 is_deny_node (GoaOAuth2Provider *provider, WebKitDOMNode *node)
 {
-  WebKitDOMHTMLInputElement *input_element;
-  gboolean ret;
-  gchar *name;
-
-  name = NULL;
-  ret = FALSE;
-
-  if (!WEBKIT_DOM_IS_HTML_INPUT_ELEMENT (node))
-    goto out;
-
-  input_element = WEBKIT_DOM_HTML_INPUT_ELEMENT (node);
-  name = webkit_dom_html_input_element_get_name (input_element);
-  if (g_strcmp0 (name, "ucdeny") != 0)
-    goto out;
-
-  ret = TRUE;
-
- out:
-  g_free (name);
-  return ret;
+  return FALSE;
 }
 
 static gboolean
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]