gwibber bypasses certificate checking when providing the login/password for OAuth

Bug #705363 reported by Raphaël Hertzog
278
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Gwibber
Undecided
Unassigned
gwibber (Debian)
Fix Released
Unknown
gwibber (Ubuntu)
Undecided
Unassigned

Bug Description

Someone reported this in Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608724

identi.ca had (mistakenly) installed an SSL certificate not recognized by the installed CA, yet the user has been presented with the OAuth login screen even if that https connection could not be authentified.

visibility: private → public
Changed in gwibber (Debian):
status: Unknown → Confirmed
Revision history for this message
Kartik Mistry (kartik.mistry) wrote :

Any updates on this bug from upstream?

Revision history for this message
Evgeni Golov (evgeni) wrote :

meh, we could wrap each and every urllib2.urlopen call with something like this:
http://stackoverflow.com/questions/1087227/validate-ssl-certificates-with-python/3551700#3551700
But I'd like to hear something from Ryan before patching :)

Revision history for this message
Evgeni Golov (evgeni) wrote :

any update?

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gwibber (Ubuntu):
status: New → Confirmed
Revision history for this message
dobey (dobey) wrote :

It's a bit more complicated than just wrapping urllib2 calls. The failure cases actaully need to be handled properly, and the user notified/presented with options to approve certs somehow, and this report specifically seems to be about the gwibber-accounts part of the code, when adding an account.

Revision history for this message
Bilal Shahid (s9iper1) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better,
* can you reproduce it ?
* if so than which version are you on ?
attach the log file by using this command in terminal
~/.cache/gwibber/gwibber.log

no longer affects: gwibber
Changed in gwibber (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Raphaël Hertzog (hertzog) wrote :

Bilal, your way of handling this bugreport is inappropriate. You dropped the affectation of the upstream project and you mark as incomplete something that has been verified by others.

Changed in gwibber (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Ken VanDine (ken-vandine) wrote :

With the transition to using libaccounts-glib and libsignon-glib in 3.6, the login is handled outside of gwibber and properly handles SSL.

Changed in gwibber:
status: New → Fix Released
Changed in gwibber (Ubuntu):
status: Confirmed → Fix Released
Changed in gwibber (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.