Skip to content

Commit

Permalink
Enforce/verify state parameter of callback
Browse files Browse the repository at this point in the history
This fixes a security vulnerability where a malicious actor can bypass authentication via a clickjacking attack (CSRF vulnerability).

Signed-off-by: schema <[email protected]>
  • Loading branch information
f3ndot authored and schemaxxx committed Aug 19, 2019
1 parent b1431d4 commit 6a4fe45
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 4 deletions.
16 changes: 13 additions & 3 deletions SpecialOAuth2Client.php
Original file line number Diff line number Diff line change
Expand Up @@ -92,17 +92,27 @@ private function _redirect() {
}

private function _handleCallback(){
global $wgRequest;

try {
$storedState = $wgRequest->getSession()->get('oauth2state');
// Enforce the `state` parameter to prevent clickjacking/CSRF
if(isset($storedState) && $storedState != $_GET['state']) {
if(isset($_GET['state'])) {
throw new UnexpectedValueException("State parameter of callback does not match original state");
} else {
throw new UnexpectedValueException("Required state parameter missing");
}
}

// Try to get an access token using the authorization code grant.
$accessToken = $this->_provider->getAccessToken('authorization_code', [
'code' => $_GET['code']
]);
} catch (\League\OAuth2\Client\Provider\Exception\IdentityProviderException $e) {

// Failed to get the access token or user details.
exit($e->getMessage()); // Failed to get the access token or user details.
} catch (UnexpectedValueException $e) {
exit($e->getMessage());

}

$resourceOwner = $this->_provider->getResourceOwner($accessToken);
Expand Down
2 changes: 1 addition & 1 deletion extension.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "MW-OAuth2Client",
"version": "0.3",
"version": "0.4",
"author": [
"[http://dekeijzer.org Joost de Keijzer]",
"[https://www.mediawiki.org/wiki/User:Nischayn22 Nischay Nahata]",
Expand Down

0 comments on commit 6a4fe45

Please sign in to comment.