From 407c4cf96519cd9801cec4bc630c6e0d451c82a3 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Tue, 5 Feb 2013 13:43:34 +0000 Subject: [PATCH] CVE-2013-0240: Do not allow invalid SSL certificates None of the branded providers (eg., Google, Facebook and Windows Live) should ever have an invalid certificate; and in this version of GOA, that's all we have. So set "ssl-strict" on the SoupSession object being used by GoaWebView. --- src/goabackend/goaoauth2provider.c | 6 ++++++ src/goabackend/goaoauthprovider.c | 6 ++++++ 2 files changed, 12 insertions(+) Index: gnome-online-accounts-3.6.2/src/goabackend/goaoauth2provider.c =================================================================== --- gnome-online-accounts-3.6.2.orig/src/goabackend/goaoauth2provider.c +++ gnome-online-accounts-3.6.2/src/goabackend/goaoauth2provider.c @@ -692,6 +692,12 @@ on_web_view_document_load_finished (WebK gulong i; session = webkit_get_default_session (); + + g_object_set (session, + SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE, + SOUP_SESSION_SSL_STRICT, TRUE, + NULL); + cookie_jar = SOUP_COOKIE_JAR (soup_session_get_feature (session, SOUP_TYPE_COOKIE_JAR)); slist = soup_cookie_jar_all_cookies (cookie_jar); g_slist_foreach (slist, (GFunc) check_cookie, data); Index: gnome-online-accounts-3.6.2/src/goabackend/goaoauthprovider.c =================================================================== --- gnome-online-accounts-3.6.2.orig/src/goabackend/goaoauthprovider.c +++ gnome-online-accounts-3.6.2/src/goabackend/goaoauthprovider.c @@ -725,6 +725,12 @@ on_web_view_document_load_finished (WebK gulong i; session = webkit_get_default_session (); + + g_object_set (session, + SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE, + SOUP_SESSION_SSL_STRICT, TRUE, + NULL); + cookie_jar = SOUP_COOKIE_JAR (soup_session_get_feature (session, SOUP_TYPE_COOKIE_JAR)); slist = soup_cookie_jar_all_cookies (cookie_jar); g_slist_foreach (slist, (GFunc) check_cookie, data);