Commits

David Larlet  committed 4ec55f4

This is a STRONGLY recommended update.

The issue, found by Matthieu Huguet, comes from Token/Consumer.generate_random_codes functions which test the key AND secret combination and not key OR secret. This is not a security issue because stores.DataStore.lookup_consumer/lookup_token tries to retrieve the token with an objects.get so it will raise a model.MultipleObjectsReturned error in case there are two similar keys. But you must be careful if you have customized the store.

Please contact me (http://larlet.com) if you'd like to be added to the django-oauth-security mailing-list for future security announcements.

  • Participants
  • Parent commits 02962be

Comments (0)

Files changed (1)

File oauth_provider/models.py

         """
         key = generate_random(length=KEY_SIZE)
         secret = generate_random(length=SECRET_SIZE)
-        while Consumer.objects.filter(key__exact=key, secret__exact=secret).count():
+        while Consumer.objects.filter(models.Q(key__exact=key) | models.Q(secret__exact=secret)).count():
+            key = generate_random(length=KEY_SIZE)
             secret = generate_random(length=SECRET_SIZE)
         self.key = key
         self.secret = secret
         """
         key = generate_random(length=KEY_SIZE)
         secret = generate_random(length=SECRET_SIZE)
-        while Token.objects.filter(key__exact=key, secret__exact=secret).count():
+        while Token.objects.filter(models.Q(key__exact=key) | models.Q(secret__exact=secret)).count():
+            key = generate_random(length=KEY_SIZE)
             secret = generate_random(length=SECRET_SIZE)
         self.key = key
         self.secret = secret