SCOPE/AUTH_PARAMS immutability

percipient · Oct 13, 2016 · 492ba97 · 492ba97
1 parent aa86192
commit 492ba97
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 5 deletions.
diff --git a/ChangeLog.rst b/ChangeLog.rst
@@ -1,6 +1,19 @@
 0.28.0 (2016-10-13)
 *******************
 
+Security notice
+---------------
+
+- Previous versions contained a vulnerability allowing an attacker to alter the
+  provider specific settings for ``SCOPE`` and/or ``AUTH_PARAMS`` (part of the
+  larger ``SOCIALACCOUNT_PROVIDERS`` setting). The changes would persist across
+  subsequent requests for all users, provided these settings were explicitly set
+  within your project. These settings translate directly into request
+  parameters, giving the attacker undesirable control over the OAuth(2)
+  handshake. You are not affected if you did not explicitly configure these
+  settings. Thanks to Ryan Kelly for reporting!
+
+
 Note worthy changes
 -------------------
 

diff --git a/allauth/socialaccount/providers/oauth/provider.py b/allauth/socialaccount/providers/oauth/provider.py
@@ -19,7 +19,7 @@ def get_login_url(self, request, **kwargs):
 
     def get_auth_params(self, request, action):
         settings = self.get_settings()
-        ret = settings.get('AUTH_PARAMS', {})
+        ret = dict(settings.get('AUTH_PARAMS', {}))
         dynamic_auth_params = request.GET.get('auth_params', None)
         if dynamic_auth_params:
             ret.update(dict(parse_qsl(dynamic_auth_params)))

diff --git a/allauth/socialaccount/providers/oauth2/provider.py b/allauth/socialaccount/providers/oauth2/provider.py
@@ -19,17 +19,15 @@ def get_login_url(self, request, **kwargs):
 
     def get_auth_params(self, request, action):
         settings = self.get_settings()
-        ret = settings.get('AUTH_PARAMS', {})
+        ret = dict(settings.get('AUTH_PARAMS', {}))
         dynamic_auth_params = request.GET.get('auth_params', None)
         if dynamic_auth_params:
             ret.update(dict(parse_qsl(dynamic_auth_params)))
         return ret
 
     def get_scope(self, request):
         settings = self.get_settings()
-        scope = settings.get('SCOPE')
-        if scope is None:
-            scope = self.get_default_scope()
+        scope = list(settings.get('SCOPE', self.get_default_scope()))
         dynamic_scope = request.GET.get('scope', None)
         if dynamic_scope:
             scope.extend(dynamic_scope.split(','))