DjangoOpenIDStore allows use of already used nonce (potential security flaw)
balexand opened this issue · comments
Unit test to repro is below. Note that MemoryStore, which is included with the python-openid lib, passes the test. I believe the problem can be fixed by deleting line 97 of models.py: "nonce.delete()".
def testStore(self):
store = MemoryStore()
store = DjangoOpenIDStore()
server_url = 'http://foo.com/'
timestamp = time.time()
salt = '123'
assert store.useNonce(server_url, timestamp, salt),\
'useNonce should return True the first time: '+str(store)
for i in range(10):
assert not store.useNonce(server_url, timestamp, salt),\
'useNonce should return False after that: '+str(store)