1
1
mirror of https://github.com/go-gitea/gitea synced 2024-11-17 07:34:25 +00:00
gitea/routers/web
Giteabot 1389fa8a99
Prevent automatic OAuth grants for public clients (#30790) (#30835)
Backport #30790 by archer-321

This commit forces the resource owner (user) to always approve OAuth 2.0
authorization requests if the client is public (e.g. native
applications).

As detailed in [RFC 6749 Section
10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2),

> The authorization server SHOULD NOT process repeated authorization
requests automatically (without active resource owner interaction)
without authenticating the client or relying on other measures to ensure
that the repeated request comes from the original client and not an
impersonator.

With the implementation prior to this patch, attackers with access to
the redirect URI (e.g., the loopback interface for
`git-credential-oauth`) can get access to the user account without any
user interaction if they can redirect the user to the
`/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on
Linux).

Fixes #25061.

Co-authored-by: Archer <archer@beezig.eu>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-05-02 20:39:48 +02:00
..
admin Forbid removing the last admin user (#28337) (#28793) 2024-01-16 01:51:46 +00:00
auth Prevent automatic OAuth grants for public clients (#30790) (#30835) 2024-05-02 20:39:48 +02:00
devtest Make "cancel" buttons have proper type in modal forms (#25618) 2023-07-03 14:04:50 +08:00
events Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
explore Only use supported sort order for "explore/users" page (#29430) (#29443) 2024-03-03 02:28:45 +00:00
feed Rework markup link rendering (#26745) (#28803) 2024-01-16 02:13:29 +00:00
healthcheck Remove db.DefaultContext in routers/ and cmd/ (#26076) 2023-07-23 23:47:27 -04:00
misc Refactor CORS handler (#28587) (#28611) 2023-12-25 21:01:24 +08:00
org Fix project description rendering for org (#30587) (#30599) 2024-04-19 13:28:18 +00:00
repo Fix rename branch 500 when the target branch is deleted but exist in database (#30430) (#30437) 2024-04-12 23:09:16 +08:00
shared Fix project counter in organization/individual profile (#28068) (#29361) 2024-02-24 07:58:43 +00:00
user Performance improvements for pull request list page (#29900) (#29972) 2024-03-22 09:58:04 +08:00
base.go Fix panic in storageHandler (#27446) (#27479) 2023-10-06 16:51:26 +02:00
githttp.go Refactor CORS handler (#28587) (#28611) 2023-12-25 21:01:24 +08:00
goget.go Support SSH for go get (#24664) 2023-05-12 09:44:37 +00:00
home.go Reduce usage of db.DefaultContext (#27073) 2023-09-14 17:09:32 +00:00
metrics.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
nodeinfo.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
swagger_json.go Start using template context function (#26254) 2023-08-08 01:22:47 +00:00
web.go Use maintained gziphandler (#30592) (#30638) 2024-04-23 02:39:27 +00:00
webfinger.go Add a link to OpenID Issuer URL in WebFinger response (#26000) 2023-07-20 16:02:45 +08:00