CSRF vulnerability, injecting state in session

homakov · homakov · commit 80d75bfd98d5 · 2012-09-08T12:26:34.000+03:00
PoC https://gist.github.com/3673012
diff --git a/lib/omniauth/strategies/oauth2.rb b/lib/omniauth/strategies/oauth2.rb
@@ -49,9 +49,7 @@ def request_phase
       end
 
       def authorize_params
-        if options.authorize_params[:state].to_s.empty?
-          options.authorize_params[:state] = SecureRandom.hex(24)
-        end
+        options.authorize_params[:state] = SecureRandom.hex(24)
         params = options.authorize_params.merge(options.authorize_options.inject({}){|h,k| h[k.to_sym] = options[k] if options[k]; h})
         if OmniAuth.config.test_mode
           @env ||= {}
