From 55a0d13e08e9d1529f0bd608f1f1bf2bb2086aa7 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Fri, 19 Jun 2015 09:14:44 -0700
Subject: [PATCH] Ensure Consumer key and Access Token Consumer match

Bug: T103023
Change-Id: If32d9652143264579ad1bf73be54e172e75d5088
---
 backend/MWOAuthDataStore.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/backend/MWOAuthDataStore.php b/backend/MWOAuthDataStore.php
index d4443ff..c50fd2f 100644
--- a/backend/MWOAuthDataStore.php
+++ b/backend/MWOAuthDataStore.php
@@ -57,6 +57,11 @@ class MWOAuthDataStore extends OAuthDataStore {
 			if ( !$cmra ) {
 				throw new MWOAuthException( 'mwoauthdatastore-access-token-not-found' );
 			}
+			// Ensure the cmra's consumer matches the expected consumer (T103023)
+			$mwconsumer = $this->lookup_consumer( $consumer->key );
+			if ( $mwconsumer->get( 'id') !== $cmra->get( 'consumerId') ) {
+				throw new MWOAuthException( 'mwoauthdatastore-access-token-not-found' );
+			}
 			$secret = MWOAuthUtils::hmacDBSecret( $cmra->get( 'accessSecret' ) );
 			$returnToken = new MWOAuthToken( $cmra->get( 'accessToken' ), $secret );
 		} else {
-- 
1.8.4.5