88f2e9615c
To prevent an OAuth2 covert redirect vulnerability, this commit adds and uses an alias for the GitHub and BitBucket OAuth2 callback URLs to the following paths: GitHub: /users/auth/-/import/github Bitbucket: /users/auth/-/import/bitbucket This allows admins to put a more restrictive callback URL in the OAuth2 configuration settings. Instead of https://example.com, admins can now use: https://example.com/users/auth It's possible but not trivial to change Devise and OmniAuth to use a different prefix for callback URLs instead of /users/auth. For now, aliasing the import URLs under the /users/auth namespace should suffice. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56663 |
||
---|---|---|
.. | ||
bitbucket_controller_spec.rb | ||
bitbucket_server_controller_spec.rb | ||
fogbugz_controller_spec.rb | ||
gitea_controller_spec.rb | ||
github_controller_spec.rb | ||
gitlab_controller_spec.rb | ||
gitlab_projects_controller_spec.rb | ||
google_code_controller_spec.rb |