The Twitter social login is left out because the implementation still uses OAuth 1.0, which does not support the `state` parameter.
Closes #3501
}
// validate state, validation of state is executed after fetching the access_token to invalidate 'code'
- if (!isset($_GET['state']) || $_GET['state'] != WCF::getSession()->getVar('__facebookInit')) throw new IllegalLinkException();
+ if (!isset($_GET['state']) || !\hash_equals(WCF::getSession()->getVar('__facebookInit'), $_GET['state'])) throw new IllegalLinkException();
WCF::getSession()->unregister('__facebookInit');
try {
}
// validate state, validation of state is executed after fetching the access_token to invalidate 'code'
- if (!isset($_GET['state']) || $_GET['state'] != WCF::getSession()->getVar('__githubInit')) throw new IllegalLinkException();
+ if (!isset($_GET['state']) || !\hash_equals(WCF::getSession()->getVar('__githubInit'), $_GET['state'])) throw new IllegalLinkException();
WCF::getSession()->unregister('__githubInit');
parse_str($content, $data);
}
// validate state, validation of state is executed after fetching the access_token to invalidate 'code'
- if (!isset($_GET['state']) || $_GET['state'] != WCF::getSession()->getVar('__googleInit')) throw new IllegalLinkException();
+ if (!isset($_GET['state']) || !\hash_equals(WCF::getSession()->getVar('__googleInit'), $_GET['state'])) throw new IllegalLinkException();
WCF::getSession()->unregister('__googleInit');
$data = JSON::decode($content);