File gnome-online-accounts-CVE-2013-0240.patch of Package gnome-online-accounts.1315
From 407c4cf96519cd9801cec4bc630c6e0d451c82a3 Mon Sep 17 00:00:00 2001
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Tue, 5 Feb 2013 13:43:34 +0000
Subject: [PATCH] CVE-2013-0240: Do not allow invalid SSL certificates
None of the branded providers (eg., Google, Facebook and Windows Live)
should ever have an invalid certificate; and in this version of GOA,
that's all we have. So set "ssl-strict" on the SoupSession object
being used by GoaWebView.
---
src/goabackend/goaoauth2provider.c | 6 ++++++
src/goabackend/goaoauthprovider.c | 6 ++++++
2 files changed, 12 insertions(+)
Index: gnome-online-accounts-3.2.1/src/goabackend/goaoauth2provider.c
===================================================================
--- gnome-online-accounts-3.2.1.orig/src/goabackend/goaoauth2provider.c
+++ gnome-online-accounts-3.2.1/src/goabackend/goaoauth2provider.c
@@ -685,6 +685,11 @@ get_tokens_and_identity (GoaOAuth2Provid
SoupCookieJar *cookie_jar;
webkit_soup_session = webkit_get_default_session ();
+
+ g_object_set (webkit_soup_session,
+ SOUP_SESSION_SSL_STRICT, TRUE,
+ NULL);
+
/* Get the proxy configuration from the GNOME settings */
soup_session_add_feature_by_type (webkit_soup_session, SOUP_TYPE_PROXY_RESOLVER_GNOME);
Index: gnome-online-accounts-3.2.1/src/goabackend/goaoauthprovider.c
===================================================================
--- gnome-online-accounts-3.2.1.orig/src/goabackend/goaoauthprovider.c
+++ gnome-online-accounts-3.2.1/src/goabackend/goaoauthprovider.c
@@ -708,6 +708,11 @@ get_tokens_and_identity (GoaOAuthProvide
SoupCookieJar *cookie_jar;
webkit_soup_session = webkit_get_default_session ();
+
+ g_object_set (webkit_soup_session,
+ SOUP_SESSION_SSL_STRICT, TRUE,
+ NULL);
+
/* Get the proxy configuration from the GNOME settings */
soup_session_add_feature_by_type (webkit_soup_session, SOUP_TYPE_PROXY_RESOLVER_GNOME);
