88f2e9615c
To prevent an OAuth2 covert redirect vulnerability, this commit adds and uses an alias for the GitHub and BitBucket OAuth2 callback URLs to the following paths: GitHub: /users/auth/-/import/github Bitbucket: /users/auth/-/import/bitbucket This allows admins to put a more restrictive callback URL in the OAuth2 configuration settings. Instead of https://example.com, admins can now use: https://example.com/users/auth It's possible but not trivial to change Devise and OmniAuth to use a different prefix for callback URLs instead of /users/auth. For now, aliasing the import URLs under the /users/auth namespace should suffice. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56663 |
||
|---|---|---|
| .. | ||
| bitbucket_controller_spec.rb | ||
| bitbucket_server_controller_spec.rb | ||
| fogbugz_controller_spec.rb | ||
| gitea_controller_spec.rb | ||
| github_controller_spec.rb | ||
| gitlab_controller_spec.rb | ||
| gitlab_projects_controller_spec.rb | ||
| google_code_controller_spec.rb | ||