On 10/10/19 11:23 am, Brian May wrote: > Utkarsh Gupta <guptautkarsh2102@gmail.com> writes: > >> Just a quick question about this patch since I haven't really tested >> this at all (however aware of the CVE), >> Is checking signature before sending a request to openid.claimed_id URL >> strict enough? > Yes, that is my understanding. If the signature is checked, that makes > it impossible for a third party to change the claimed_id URL, rendering > the attack impossible. > > I don't claim to be an expert on this however. I had a few pointers, but since this is already uploaded, I'll raise this in upstream first and then get back if needed. Thank you for taking care of this. Best, Utkarsh
Attachment:
signature.asc
Description: OpenPGP digital signature