Escape provider name in oauth2 provider redirect (#12650)

Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Andrew Thornton <art27@cantab.net>
2025-09-28 03:28:13 +00:00 · 2020-08-31 00:55:19 +02:00
parent 21cd7ab812
commit 87f02d90cf
1 changed files with 2 additions and 1 deletions
--- a/modules/auth/oauth2/oauth2.go
+++ b/modules/auth/oauth2/oauth2.go
@@ -6,6 +6,7 @@ package oauth2

 import (
 	"net/http"
+	"net/url"

 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
@@ -119,7 +120,7 @@ func RemoveProvider(providerName string) {

 // used to create different types of goth providers
 func createProvider(providerName, providerType, clientID, clientSecret, openIDConnectAutoDiscoveryURL string, customURLMapping *CustomURLMapping) (goth.Provider, error) {
-	callbackURL := setting.AppURL + "user/oauth2/" + providerName + "/callback"
+	callbackURL := setting.AppURL + "user/oauth2/" + url.PathEscape(providerName) + "/callback"

 	var provider goth.Provider
 	var err error