Comment 10 for bug 1324592
Revision history for this message
| Morgan Fainberg (mdrnstm) wrote Re: Trust scope can be circumvented by chaining trusts | #10 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
I just discussed this with ayoung and confirmed it is possible to perform the same type of escalation with the oauth contrib module. It would also be possible to use Oauth based tokens to create trusts that can escalate permissions.
Oauth -> Oauth
Trust -> Oauth
Oauth -> Trust
The immediate solution should be to prevent any form of chained delegation to occur from trusts or oauth (extending the new code to cover oauth scenarios).