New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify state before using errors received from provider #144

Merged

BobbyMcWho merged 1 commit into omniauth:master from toupeira:verify-state-before-using-provider-errors

Nov 2, 2021

Commits on Nov 2, 2021

Verify state before using errors received from provider
```
This avoids content spoofing attacks by crafting a URL with malicious
messages, because the `state` param is only present in the session after
a valid OAuth2 authentication flow.
```
Markus Koller committed Nov 2, 2021
Copy the full SHA

98553d7 View commit details

Browse the repository at this point in the history