Hi all,
Seems like commit 0b465e34b6ff594a177fa9118c87a13cff349374 (July 18th 2019) has introduced a dangerous race condition in
OAuth20CallbackAuthorizeEndpointController.
Before, ‘callback’ was created per request, now it is shared among all threads accessing it.
As a result, callback.getRedirectUrl() sometimes returns the same value for two or more threads accessing it.
It looks rather like a high profile security issue, since redirect URL contains ‘state’ value that would allow one user to impersonate another, should they hit CAS at the same millisecond.
Kind regards,
Tim
My apologies, correct commit ID is b1cbcb2a1b305fb915be3dac65e130da315772c0.
PR to address the issue:
--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
cas-dev+u...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-dev/F7C333C2-8EDB-4616-BE92-E24622948C6C%40ebay.com.