peppelinux
commented
1 year ago Thank you for this important contribution
Closed voidz0r closed 1 year ago
peppelinux
commented
1 year ago Thank you for this important contribution
This fixes the above-mentioned vulnerability.
The "state" parameter should be intended as an anti XSRF mechanism and the application should check between the session-stored Anti XSRF token and the one provided in the state parameter passed during the authentication flow. This is not covered by this PR.
Note: this functionality is not tested and could break the existing test case so, please, change it accordingly.