diff options
author | Heiko Bernloehr <Heiko.Bernloehr@FreeIT.de> | 2012-11-15 17:10:35 +0100 |
---|---|---|
committer | Heiko Bernloehr <Heiko.Bernloehr@FreeIT.de> | 2012-11-15 17:15:27 +0100 |
commit | 97c25ae39e3d6a628c65f4cb2ceecd48e410732d (patch) | |
tree | 97aea0adea3043e19b50758325d1bb7a646fff71 /app | |
parent | 9298117acdf82c9529a12a3ab41baf9d1e86c2f4 (diff) | |
download | ecs2-97c25ae39e3d6a628c65f4cb2ceecd48e410732d.tar.gz ecs2-97c25ae39e3d6a628c65f4cb2ceecd48e410732d.zip |
Changed security fix for redirects.
When creating authorization token the ECS only checks if exactly one of
the realm or url parameter is present.
Diffstat (limited to 'app')
-rw-r--r-- | app/models/message.rb | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/app/models/message.rb b/app/models/message.rb index 69067d0..8f225df 100644 --- a/app/models/message.rb +++ b/app/models/message.rb @@ -216,10 +216,8 @@ class Message < ActiveRecord::Base unless bks.include?("url") or bks.include?("realm") raise Ecs::InvalidMessageException, "You have to provide realm or url attribute" end - if bks.include?("realm") and !b["realm"].empty? and !bks.include?("url") - b["url"]= b["realm"] - elsif bks.include?("url") and !b["url"].empty? and !bks.include?("realm") - b["realm"]= b["url"] + if bks.include?("url") and bks.include?("realm") + raise Ecs::InvalidMessageException, "You only be allowed to use either realm or url attribute" end #msg_id = URI.split(b["url"])[5][1..-1].sub(/[^\/]*\/[^\/]*\/(.*)/, '\1').to_i |