1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-10 11:25:56 -05:00
forgejo/routers/web
Giteabot 248a5b8d7a
Prevent automatic OAuth grants for public clients (#30790) (#30836)
Backport #30790 by archer-321

This commit forces the resource owner (user) to always approve OAuth 2.0
authorization requests if the client is public (e.g. native
applications).

As detailed in [RFC 6749 Section
10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2),

> The authorization server SHOULD NOT process repeated authorization
requests automatically (without active resource owner interaction)
without authenticating the client or relying on other measures to ensure
that the repeated request comes from the original client and not an
impersonator.

With the implementation prior to this patch, attackers with access to
the redirect URI (e.g., the loopback interface for
`git-credential-oauth`) can get access to the user account without any
user interaction if they can redirect the user to the
`/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on
Linux).

Fixes #25061.

Co-authored-by: Archer <archer@beezig.eu>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 6d83f5eddc0f394f6386e80b86a3221f6f4925ff)
2024-05-07 08:14:22 +01:00
..
admin s/Gitea/Forgejo in various log messages and comments 2024-04-22 14:41:17 +00:00
auth Prevent automatic OAuth grants for public clients (#30790) (#30836) 2024-05-07 08:14:22 +01:00
devtest Move context from modules to services (#29440) 2024-03-06 12:10:43 +08:00
events Move context from modules to services (#29440) 2024-03-06 12:10:43 +08:00
explore Unify search boxes (#29530) 2024-03-20 12:31:05 +00:00
feed Rename Str2html to SanitizeHTML and clarify its behavior (#29516) 2024-03-06 12:10:45 +08:00
healthcheck Add health-check test 2024-04-06 08:44:23 +00:00
misc Move context from modules to services (#29440) 2024-03-06 12:10:43 +08:00
org Show repo count in blocked users tab (#3601) 2024-05-02 17:10:06 +00:00
repo Merge pull request '[v1.22/gitea] week 2024-18 cherry pick v7.0 (take 2)' (#3580) from earl-warren/forgejo:wip-v7.0-gitea-cherry-pick into v7.0/forgejo 2024-05-01 12:36:57 +00:00
shared Fix missing code in the user profile (#29865) 2024-03-26 19:04:25 +01:00
user Merge pull request '[v1.22/gitea] week 16 cherry pick to v7.0' (#3235) from earl-warren/forgejo:wip-v7.0-gitea-cherry-pick into v7.0/forgejo 2024-04-16 09:31:46 +00:00
base.go Fix panic in storageHandler (#27446) 2023-10-06 13:23:14 +00:00
githttp.go Move context from modules to services (#29440) 2024-03-06 12:10:43 +08:00
goget.go Move context from modules to services (#29440) 2024-03-06 12:10:43 +08:00
home.go migrate some more "OptionalBool" to "Option[bool]" (#29479) 2024-03-06 12:10:44 +08:00
metrics.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
nodeinfo.go Move context from modules to services (#29440) 2024-03-06 12:10:43 +08:00
swagger_json.go Move context from modules to services (#29440) 2024-03-06 12:10:43 +08:00
web.go Show repo activities even if only code unit active or git repo is empty but issue is active (#3455) 2024-04-28 13:50:45 +00:00
webfinger.go fix: respond with JSON Resource Descriptor Content-Type per RFC7033 2024-04-02 09:41:57 +00:00