mirror of
https://github.com/go-gitea/gitea.git
synced 2026-05-18 02:42:38 +00:00
5038561235
Backport #37706 This PR tightens several OAuth validation paths related to PKCE handling, redirect URI normalization, and refresh-token replay safety. What it changes: - switch redirect URI comparison to ASCII-only normalization for exact-match checks, avoiding Unicode case-folding surprises - harden PKCE verification by: - allowing PKCE omission only when no challenge data was stored - rejecting exchanges with a missing verifier when PKCE was used - rejecting malformed challenge state where a challenge exists without a valid method - comparing derived challenges with constant-time string matching - make refresh-token invalidation counter updates conditional on the previously observed counter value, so stale refresh state cannot be accepted after the grant changes Why: These checks close gaps where: - redirect URI comparisons could rely on broader Unicode normalization than intended - malformed or incomplete PKCE state could be treated too permissively - concurrent or stale refresh-token use could advance the same grant more than once Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com>