3D-printing/Cura
1
0
Fork 0
mirror of https://github.com/Ultimaker/Cura.git synced 2025-07-15 02:37:49 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Use state in AuthorizationService

Browse source 
It's a paranoid safety precaution, but beter safe than sorry.
Reported by WhiteHats; F-1.1.1
This commit is contained in:
Jaime van Kessel 2020-01-31 16:11:59 +01:00
parent ca25ec3dbc
commit 1269de744f
No known key found for this signature in database
GPG key ID: 3710727397403C91
4 changed files with 20 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

11
cura/OAuth2/AuthorizationRequestHandler.py
View file

@ -25,6 +25,8 @@ class AuthorizationRequestHandler(BaseHTTPRequestHandler):
self.authorization_callback = None # type: Optional[Callable[[AuthenticationResponse], None]]
self.verification_code = None # type: Optional[str]
self.state = None # type: Optional[str]
# CURA-6609: Some browser seems to issue a HEAD instead of GET request as the callback.
def do_HEAD(self) -> None:
self.do_GET()
@ -58,7 +60,14 @@ class AuthorizationRequestHandler(BaseHTTPRequestHandler):
# \return HTTP ResponseData containing a success page to show to the user.
def _handleCallback(self, query: Dict[Any, List]) -> Tuple[ResponseData, Optional[AuthenticationResponse]]:
code = self._queryGet(query, "code")
if code and self.authorization_helpers is not None and self.verification_code is not None:
state = self._queryGet(query, "state")
if state != self.state:
token_response = AuthenticationResponse(
success = False,
err_message=catalog.i18nc("@message",
"The provided state is not correct.")
)
elif code and self.authorization_helpers is not None and self.verification_code is not None:
# If the code was returned we get the access token.
token_response = self.authorization_helpers.getAccessTokenUsingAuthorizationCode(
code, self.verification_code)