cram_nonce.valid needs to be checked when authenticating to prevent spoofing. For this same reason, cram_cron() shouldn't delete non-expired nonces even if they're no longer valid.

Untested fixes attached.

Comments

selmanj’s picture

Status: Needs review » Fixed

This is definitely critical, and I wish I had noticed this. Nice catch on the cron line too (took me a few moments to see why that needed to be changed).

Both patches committed. Thanks!

Anonymous’s picture

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.