[gnome-online-accounts/gnome-3-10] oauth2: Don't parse the DOM to detect access_denied

From: Debarshi Ray <debarshir src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-online-accounts/gnome-3-10] oauth2: Don't parse the DOM to detect access_denied
Date: Mon, 7 Oct 2013 15:25:00 +0000 (UTC)
commit 969eb1c4a11a1899b59a225134025b007c502512
Author: Debarshi Ray <debarshir gnome org>
Date:   Mon Oct 7 16:14:58 2013 +0200

    oauth2: Don't parse the DOM to detect access_denied
    
    Compliant OAuth2 implementations should return access_denied if the
    user denied access through the embedded web view. We should look for
    this instead of parsing the DOM whenever possible, because DOMs are
    fragile and can be changed at will on the server-side.
    
    See 4.1.2.1 for more information on the error codes:
    https://tools.ietf.org/html/draft-ietf-oauth-v2-23
    
    Google, Facebook and Windows Live have compliant implementations.
    
    Fixes: https://bugzilla.gnome.org/709570

 src/goabackend/goafacebookprovider.c    |   21 +----------------
 src/goabackend/goagoogleprovider.c      |   21 +----------------
 src/goabackend/goaoauth2provider.c      |   37 +++++++++++++++++++++----------
 src/goabackend/goautils.h               |    2 +
 src/goabackend/goawindowsliveprovider.c |   21 +----------------
 5 files changed, 30 insertions(+), 72 deletions(-)
---
diff --git a/src/goabackend/goafacebookprovider.c b/src/goabackend/goafacebookprovider.c
index 56947ef..06cdf8e 100644
--- a/src/goabackend/goafacebookprovider.c
+++ b/src/goabackend/goafacebookprovider.c
@@ -279,26 +279,7 @@ get_identity_sync (GoaOAuth2Provider  *provider,
 static gboolean
 is_deny_node (GoaOAuth2Provider *provider, WebKitDOMNode *node)
 {
-  WebKitDOMHTMLButtonElement *button_element;
-  gboolean ret;
-  gchar *name;
-
-  name = NULL;
-  ret = FALSE;
-
-  if (!WEBKIT_DOM_IS_HTML_BUTTON_ELEMENT (node))
-    goto out;
-
-  button_element = WEBKIT_DOM_HTML_BUTTON_ELEMENT (node);
-  name = webkit_dom_html_button_element_get_name (button_element);
-  if (g_strcmp0 (name, "cancel_clicked") != 0)
-    goto out;
-
-  ret = TRUE;
-
- out:
-  g_free (name);
-  return ret;
+  return FALSE;
 }
 
 static gboolean
diff --git a/src/goabackend/goagoogleprovider.c b/src/goabackend/goagoogleprovider.c
index d317a6c..9eeb662 100644
--- a/src/goabackend/goagoogleprovider.c
+++ b/src/goabackend/goagoogleprovider.c
@@ -263,26 +263,7 @@ get_identity_sync (GoaOAuth2Provider  *provider,
 static gboolean
 is_deny_node (GoaOAuth2Provider *provider, WebKitDOMNode *node)
 {
-  WebKitDOMElement *element;
-  gboolean ret;
-  gchar *id;
-
-  id = NULL;
-  ret = FALSE;
-
-  if (!WEBKIT_DOM_IS_HTML_BUTTON_ELEMENT (node))
-    goto out;
-
-  element = WEBKIT_DOM_ELEMENT (node);
-  id = webkit_dom_element_get_id (element);
-  if (g_strcmp0 (id, "submit_deny_access") != 0)
-    goto out;
-
-  ret = TRUE;
-
- out:
-  g_free (id);
-  return ret;
+  return FALSE;
 }
 
 static gboolean
diff --git a/src/goabackend/goaoauth2provider.c b/src/goabackend/goaoauth2provider.c
index b545535..8efdea5 100644
--- a/src/goabackend/goaoauth2provider.c
+++ b/src/goabackend/goaoauth2provider.c
@@ -876,6 +876,7 @@ on_web_view_navigation_policy_decision_requested (WebKitWebView             *web
 {
   GoaOAuth2Provider *provider = GOA_OAUTH2_PROVIDER (user_data);
   GoaOAuth2ProviderPrivate *priv = provider->priv;
+  const gchar *oauth2_error;
   const gchar *redirect_uri;
   const gchar *requested_uri;
 
@@ -910,12 +911,18 @@ on_web_view_navigation_policy_decision_requested (WebKitWebView             *web
             }
           else
             {
-              g_set_error (&priv->error,
-                           GOA_ERROR,
-                           GOA_ERROR_NOT_AUTHORIZED,
-                           _("Authorization response was \"%s\""),
-                           (const gchar *) g_hash_table_lookup (key_value_pairs, "error"));
-              gtk_dialog_response (priv->dialog, GTK_RESPONSE_CLOSE);
+              oauth2_error = (const gchar *) g_hash_table_lookup (key_value_pairs, "error");
+              if (g_strcmp0 (oauth2_error, GOA_OAUTH2_ACCESS_DENIED) == 0)
+                gtk_dialog_response (priv->dialog, GTK_RESPONSE_CANCEL);
+              else
+                {
+                  g_set_error (&priv->error,
+                               GOA_ERROR,
+                               GOA_ERROR_NOT_AUTHORIZED,
+                               _("Authorization response was \"%s\""),
+                               oauth2_error);
+                  gtk_dialog_response (priv->dialog, GTK_RESPONSE_CLOSE);
+                }
             }
           g_hash_table_unref (key_value_pairs);
           webkit_web_policy_decision_ignore (policy_decision);
@@ -950,12 +957,18 @@ on_web_view_navigation_policy_decision_requested (WebKitWebView             *web
             }
           else
             {
-              g_set_error (&priv->error,
-                           GOA_ERROR,
-                           GOA_ERROR_NOT_AUTHORIZED,
-                           _("Authorization response was \"%s\""),
-                           (const gchar *) g_hash_table_lookup (key_value_pairs, "error"));
-              gtk_dialog_response (priv->dialog, GTK_RESPONSE_CLOSE);
+              oauth2_error = (const gchar *) g_hash_table_lookup (key_value_pairs, "error");
+              if (g_strcmp0 (oauth2_error, GOA_OAUTH2_ACCESS_DENIED) == 0)
+                gtk_dialog_response (priv->dialog, GTK_RESPONSE_CANCEL);
+              else
+                {
+                  g_set_error (&priv->error,
+                               GOA_ERROR,
+                               GOA_ERROR_NOT_AUTHORIZED,
+                               _("Authorization response was \"%s\""),
+                               oauth2_error);
+                  gtk_dialog_response (priv->dialog, GTK_RESPONSE_CLOSE);
+                }
             }
           g_hash_table_unref (key_value_pairs);
           webkit_web_policy_decision_ignore (policy_decision);
diff --git a/src/goabackend/goautils.h b/src/goabackend/goautils.h
index eb9af3b..82edd8a 100644
--- a/src/goabackend/goautils.h
+++ b/src/goabackend/goautils.h
@@ -34,6 +34,8 @@
 
 G_BEGIN_DECLS
 
+#define GOA_OAUTH2_ACCESS_DENIED "access_denied"
+
 typedef gpointer (*GoaPeekInterfaceFunc)   (GoaObject *);
 
 void             goa_utils_initialize_client_factory (void);
diff --git a/src/goabackend/goawindowsliveprovider.c b/src/goabackend/goawindowsliveprovider.c
index 264d630..3a38646 100644
--- a/src/goabackend/goawindowsliveprovider.c
+++ b/src/goabackend/goawindowsliveprovider.c
@@ -263,26 +263,7 @@ get_identity_sync (GoaOAuth2Provider  *provider,
 static gboolean
 is_deny_node (GoaOAuth2Provider *provider, WebKitDOMNode *node)
 {
-  WebKitDOMHTMLInputElement *input_element;
-  gboolean ret;
-  gchar *name;
-
-  name = NULL;
-  ret = FALSE;
-
-  if (!WEBKIT_DOM_IS_HTML_INPUT_ELEMENT (node))
-    goto out;
-
-  input_element = WEBKIT_DOM_HTML_INPUT_ELEMENT (node);
-  name = webkit_dom_html_input_element_get_name (input_element);
-  if (g_strcmp0 (name, "ucdeny") != 0)
-    goto out;
-
-  ret = TRUE;
-
- out:
-  g_free (name);
-  return ret;
+  return FALSE;
 }
 
 static gboolean
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]