[gnome-online-accounts/gnome-3-8] oauth2: Don't parse the DOM to detect access_denied
- From: Debarshi Ray <debarshir src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnome-online-accounts/gnome-3-8] oauth2: Don't parse the DOM to detect access_denied
- Date: Mon, 7 Oct 2013 15:24:39 +0000 (UTC)
commit 8ad5e6282c1a6b7b6683d1d6319bf382de408cf2
Author: Debarshi Ray <debarshir gnome org>
Date: Mon Oct 7 16:14:58 2013 +0200
oauth2: Don't parse the DOM to detect access_denied
Compliant OAuth2 implementations should return access_denied if the
user denied access through the embedded web view. We should look for
this instead of parsing the DOM whenever possible, because DOMs are
fragile and can be changed at will on the server-side.
See 4.1.2.1 for more information on the error codes:
https://tools.ietf.org/html/draft-ietf-oauth-v2-23
Google, Facebook and Windows Live have compliant implementations.
Fixes: https://bugzilla.gnome.org/709570
src/goabackend/goafacebookprovider.c | 21 +----------------
src/goabackend/goagoogleprovider.c | 21 +----------------
src/goabackend/goaoauth2provider.c | 37 +++++++++++++++++++++----------
src/goabackend/goautils.h | 2 +
src/goabackend/goawindowsliveprovider.c | 21 +----------------
5 files changed, 30 insertions(+), 72 deletions(-)
---
diff --git a/src/goabackend/goafacebookprovider.c b/src/goabackend/goafacebookprovider.c
index b65bf8c..5dc5e60 100644
--- a/src/goabackend/goafacebookprovider.c
+++ b/src/goabackend/goafacebookprovider.c
@@ -273,26 +273,7 @@ get_identity_sync (GoaOAuth2Provider *provider,
static gboolean
is_deny_node (GoaOAuth2Provider *provider, WebKitDOMNode *node)
{
- WebKitDOMHTMLButtonElement *button_element;
- gboolean ret;
- gchar *name;
-
- name = NULL;
- ret = FALSE;
-
- if (!WEBKIT_DOM_IS_HTML_BUTTON_ELEMENT (node))
- goto out;
-
- button_element = WEBKIT_DOM_HTML_BUTTON_ELEMENT (node);
- name = webkit_dom_html_button_element_get_name (button_element);
- if (g_strcmp0 (name, "cancel_clicked") != 0)
- goto out;
-
- ret = TRUE;
-
- out:
- g_free (name);
- return ret;
+ return FALSE;
}
static gboolean
diff --git a/src/goabackend/goagoogleprovider.c b/src/goabackend/goagoogleprovider.c
index f12b7d0..b3accdb 100644
--- a/src/goabackend/goagoogleprovider.c
+++ b/src/goabackend/goagoogleprovider.c
@@ -253,26 +253,7 @@ get_identity_sync (GoaOAuth2Provider *provider,
static gboolean
is_deny_node (GoaOAuth2Provider *provider, WebKitDOMNode *node)
{
- WebKitDOMHTMLElement *element;
- gboolean ret;
- gchar *id;
-
- id = NULL;
- ret = FALSE;
-
- if (!WEBKIT_DOM_IS_HTML_BUTTON_ELEMENT (node))
- goto out;
-
- element = WEBKIT_DOM_HTML_ELEMENT (node);
- id = webkit_dom_html_element_get_id (element);
- if (g_strcmp0 (id, "submit_deny_access") != 0)
- goto out;
-
- ret = TRUE;
-
- out:
- g_free (id);
- return ret;
+ return FALSE;
}
static gboolean
diff --git a/src/goabackend/goaoauth2provider.c b/src/goabackend/goaoauth2provider.c
index a85fe8d..e237ead 100644
--- a/src/goabackend/goaoauth2provider.c
+++ b/src/goabackend/goaoauth2provider.c
@@ -811,6 +811,7 @@ on_web_view_navigation_policy_decision_requested (WebKitWebView *web
gpointer user_data)
{
IdentifyData *data = user_data;
+ const gchar *oauth2_error;
const gchar *redirect_uri;
const gchar *requested_uri;
@@ -845,12 +846,18 @@ on_web_view_navigation_policy_decision_requested (WebKitWebView *web
}
else
{
- g_set_error (&data->error,
- GOA_ERROR,
- GOA_ERROR_NOT_AUTHORIZED,
- _("Authorization response was \"%s\""),
- (const gchar *) g_hash_table_lookup (key_value_pairs, "error"));
- gtk_dialog_response (data->dialog, GTK_RESPONSE_CLOSE);
+ oauth2_error = (const gchar *) g_hash_table_lookup (key_value_pairs, "error");
+ if (g_strcmp0 (oauth2_error, GOA_OAUTH2_ACCESS_DENIED) == 0)
+ gtk_dialog_response (data->dialog, GTK_RESPONSE_CANCEL);
+ else
+ {
+ g_set_error (&data->error,
+ GOA_ERROR,
+ GOA_ERROR_NOT_AUTHORIZED,
+ _("Authorization response was \"%s\""),
+ oauth2_error);
+ gtk_dialog_response (data->dialog, GTK_RESPONSE_CLOSE);
+ }
}
g_hash_table_unref (key_value_pairs);
webkit_web_policy_decision_ignore (policy_decision);
@@ -885,12 +892,18 @@ on_web_view_navigation_policy_decision_requested (WebKitWebView *web
}
else
{
- g_set_error (&data->error,
- GOA_ERROR,
- GOA_ERROR_NOT_AUTHORIZED,
- _("Authorization response was \"%s\""),
- (const gchar *) g_hash_table_lookup (key_value_pairs, "error"));
- gtk_dialog_response (data->dialog, GTK_RESPONSE_CLOSE);
+ oauth2_error = (const gchar *) g_hash_table_lookup (key_value_pairs, "error");
+ if (g_strcmp0 (oauth2_error, GOA_OAUTH2_ACCESS_DENIED) == 0)
+ gtk_dialog_response (data->dialog, GTK_RESPONSE_CANCEL);
+ else
+ {
+ g_set_error (&data->error,
+ GOA_ERROR,
+ GOA_ERROR_NOT_AUTHORIZED,
+ _("Authorization response was \"%s\""),
+ oauth2_error);
+ gtk_dialog_response (data->dialog, GTK_RESPONSE_CLOSE);
+ }
}
g_hash_table_unref (key_value_pairs);
webkit_web_policy_decision_ignore (policy_decision);
diff --git a/src/goabackend/goautils.h b/src/goabackend/goautils.h
index 454e702..ab593e0 100644
--- a/src/goabackend/goautils.h
+++ b/src/goabackend/goautils.h
@@ -34,6 +34,8 @@
G_BEGIN_DECLS
+#define GOA_OAUTH2_ACCESS_DENIED "access_denied"
+
typedef gpointer (*GoaPeekInterfaceFunc) (GoaObject *);
gboolean goa_utils_check_duplicate (GoaClient *client,
diff --git a/src/goabackend/goawindowsliveprovider.c b/src/goabackend/goawindowsliveprovider.c
index ed6e3d3..3d6abf9 100644
--- a/src/goabackend/goawindowsliveprovider.c
+++ b/src/goabackend/goawindowsliveprovider.c
@@ -255,26 +255,7 @@ get_identity_sync (GoaOAuth2Provider *provider,
static gboolean
is_deny_node (GoaOAuth2Provider *provider, WebKitDOMNode *node)
{
- WebKitDOMHTMLInputElement *input_element;
- gboolean ret;
- gchar *name;
-
- name = NULL;
- ret = FALSE;
-
- if (!WEBKIT_DOM_IS_HTML_INPUT_ELEMENT (node))
- goto out;
-
- input_element = WEBKIT_DOM_HTML_INPUT_ELEMENT (node);
- name = webkit_dom_html_input_element_get_name (input_element);
- if (g_strcmp0 (name, "ucdeny") != 0)
- goto out;
-
- ret = TRUE;
-
- out:
- g_free (name);
- return ret;
+ return FALSE;
}
static gboolean
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
