Comment 7 for bug 1179615
Revision history for this message
| Thierry Carrez (ttx) wrote Re: auth_token middleware neglects to check expiry of signed token | #7 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Making sure I understand this correctly...
Your patch fixes _cache_put() so that it doesn't store expired tokens... But _cache_get() seems to properly implement expiration check so it will not return expired tokens. So is this really exploitable ? Or exploitable only if the token is not in the cache already ?