From: Tim Düsterhus <duesterhus@woltlab.com>
Date: Fri, 20 Aug 2021 13:16:46 +0000 (+0200)
Subject: Ensure that the OAuth 2 state parameter is cleared in all cases
X-Git-Tag: 5.4.5_RC_1~30^2
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=1d74b1407aab06c96b00a249ea20458f1f2cabcb;p=GitHub%2FWoltLab%2FWCF.git

Ensure that the OAuth 2 state parameter is cleared in all cases
---

diff --git a/wcfsetup/install/files/lib/action/AbstractOauth2Action.class.php b/wcfsetup/install/files/lib/action/AbstractOauth2Action.class.php
index 5ac9397644..f769c43e1f 100644
--- a/wcfsetup/install/files/lib/action/AbstractOauth2Action.class.php
+++ b/wcfsetup/install/files/lib/action/AbstractOauth2Action.class.php
@@ -122,17 +122,19 @@ abstract class AbstractOauth2Action extends AbstractAction
      */
     protected function validateState()
     {
-        if (!isset($_GET['state'])) {
-            throw new StateValidationException('Missing state parameter');
-        }
-        if (!($sessionState = WCF::getSession()->getVar(self::STATE))) {
-            throw new StateValidationException('Missing state in session');
-        }
-        if (!\hash_equals($sessionState, (string)$_GET['state'])) {
-            throw new StateValidationException('Mismatching state');
+        try {
+            if (!isset($_GET['state'])) {
+                throw new StateValidationException('Missing state parameter');
+            }
+            if (!($sessionState = WCF::getSession()->getVar(self::STATE))) {
+                throw new StateValidationException('Missing state in session');
+            }
+            if (!\hash_equals($sessionState, (string)$_GET['state'])) {
+                throw new StateValidationException('Mismatching state');
+            }
+        } finally {
+            WCF::getSession()->unregister(self::STATE);
         }
-
-        WCF::getSession()->unregister(self::STATE);
     }
 
     /**