delta/gitlab/gitlab-ce.git - gitlab.com: gitlab-org/gitlab-ce.git

diff options

author	Stan Hu <stanhu@gmail.com>	2019-01-22 09:38:08 -0800
committer	Yorick Peterse <yorickpeterse@gmail.com>	2019-01-31 16:52:48 +0100
commit	88f2e9615cbb6ed976e65ca96af271d747ed8cce (patch)
tree	531b52947080fa5ac022e61208b07b55cfd2e429 /GITLAB_PAGES_VERSION
parent	5b075413d95606949a305c0c65154a81e7b8a85d (diff)
download	gitlab-ce-88f2e9615cbb6ed976e65ca96af271d747ed8cce.tar.gz

Alias GitHub and BitBucket OAuth2 callback URLs

To prevent an OAuth2 covert redirect vulnerability, this commit adds and uses an alias for the GitHub and BitBucket OAuth2 callback URLs to the following paths: GitHub: /users/auth/-/import/github Bitbucket: /users/auth/-/import/bitbucket This allows admins to put a more restrictive callback URL in the OAuth2 configuration settings. Instead of https://example.com, admins can now use: https://example.com/users/auth It's possible but not trivial to change Devise and OmniAuth to use a different prefix for callback URLs instead of /users/auth. For now, aliasing the import URLs under the /users/auth namespace should suffice. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56663

Diffstat (limited to 'GITLAB_PAGES_VERSION')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: