Merge pull request #25 from homakov/patch-1

mbleigh · mbleigh · commit 451f7ecad175 · 2012-09-18T09:57:25.000-07:00
CSRF vulnerability, injecting state in session
diff --git a/lib/omniauth/strategies/oauth2.rb b/lib/omniauth/strategies/oauth2.rb
@@ -49,9 +49,7 @@ def request_phase
       end
 
       def authorize_params
-        if options.authorize_params[:state].to_s.empty?
-          options.authorize_params[:state] = SecureRandom.hex(24)
-        end
+        options.authorize_params[:state] = SecureRandom.hex(24)
         params = options.authorize_params.merge(options.authorize_options.inject({}){|h,k| h[k.to_sym] = options[k] if options[k]; h})
         if OmniAuth.config.test_mode
           @env ||= {}
