source.dussan.org Git - gitea.git/commit

author	Archer <archer@beezig.eu>
	Thu, 2 May 2024 17:05:59 +0000 (19:05 +0200)
committer	GitHub <noreply@github.com>
	Thu, 2 May 2024 17:05:59 +0000 (17:05 +0000)
commit	5c542ca94caa3587329167cfe9e949357ca15cf1
tree	54be89ed43f941490130131707aa831c984f456c	tree \| snapshot
parent	872caa17c0a30d95f85ab75c068d606e07bd10b3	commit \| diff

Prevent automatic OAuth grants for public clients (#30790)

This commit forces the resource owner (user) to always approve OAuth 2.0
authorization requests if the client is public (e.g. native
applications).

As detailed in [RFC 6749 Section 10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2),

> The authorization server SHOULD NOT process repeated authorization
requests automatically (without active resource owner interaction)
without authenticating the client or relying on other measures to ensure
that the repeated request comes from the original client and not an
impersonator.

With the implementation prior to this patch, attackers with access to
the redirect URI (e.g., the loopback interface for
`git-credential-oauth`) can get access to the user account without any
user interaction if they can redirect the user to the
`/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on
Linux).

Fixes #25061.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD: https://github.com/go-gitea/gitea

RSS Atom