Ensure that the OAuth 2 state parameter is cleared in all cases

diff --git a/wcfsetup/install/files/lib/action/AbstractOauth2Action.class.php b/wcfsetup/install/files/lib/action/AbstractOauth2Action.class.php
index 5ac9397644681de05234faff70a6de689a7230d7..f769c43e1f58cd20c55b6736119b6fe628c5960e 100644 (file)
--- a/wcfsetup/install/files/lib/action/AbstractOauth2Action.class.php
+++ b/wcfsetup/install/files/lib/action/AbstractOauth2Action.class.php
@@ -122,17 +122,19 @@ abstract class AbstractOauth2Action extends AbstractAction
      */
     protected function validateState()
     {
-        if (!isset($_GET['state'])) {
-            throw new StateValidationException('Missing state parameter');
-        }
-        if (!($sessionState = WCF::getSession()->getVar(self::STATE))) {
-            throw new StateValidationException('Missing state in session');
-        }
-        if (!\hash_equals($sessionState, (string)$_GET['state'])) {
-            throw new StateValidationException('Mismatching state');
+        try {
+            if (!isset($_GET['state'])) {
+                throw new StateValidationException('Missing state parameter');
+            }
+            if (!($sessionState = WCF::getSession()->getVar(self::STATE))) {
+                throw new StateValidationException('Missing state in session');
+            }
+            if (!\hash_equals($sessionState, (string)$_GET['state'])) {
+                throw new StateValidationException('Mismatching state');
+            }
+        } finally {
+            WCF::getSession()->unregister(self::STATE);
         }
-
-        WCF::getSession()->unregister(self::STATE);
     }
 
     /**