Skip to content

Commit

Permalink
Change state delimiter to | to avoid collision with URLs
Browse files Browse the repository at this point in the history
  • Loading branch information
@alexander-mayr-meister
alexander-mayr-meister committed Apr 9, 2024
1 parent 7e6e3f3 commit 0b1b6a9
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions oauthproxy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1189,13 +1189,13 @@ func checkAllowedEmails(req *http.Request, s *sessionsapi.SessionState) bool {
// encodedState builds the OAuth state param out of our nonce and
// original application redirect
func encodeState(nonce string, redirect string, additional string) string {
return fmt.Sprintf("%v:%v:%v", nonce, redirect, additional)
return fmt.Sprintf("%v|%v|%v", nonce, redirect, additional)
}

// decodeState splits the reflected OAuth state response back into
// the nonce and original application redirect
func decodeState(req *http.Request) (string, string, string, error) {
state := strings.SplitN(req.Form.Get("state"), ":", 3)
state := strings.SplitN(req.Form.Get("state"), "|", 3)

if len(state) != 3 {
return "", "", "", errors.New("invalid length")
Expand Down

0 comments on commit 0b1b6a9

Please sign in to comment.