From 1d74b1407aab06c96b00a249ea20458f1f2cabcb Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Fri, 20 Aug 2021 15:16:46 +0200
Subject: [PATCH] Ensure that the OAuth 2 state parameter is cleared in all
 cases

---
 .../lib/action/AbstractOauth2Action.class.php | 22 ++++++++++---------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/wcfsetup/install/files/lib/action/AbstractOauth2Action.class.php b/wcfsetup/install/files/lib/action/AbstractOauth2Action.class.php
index 5ac9397644..f769c43e1f 100644
--- a/wcfsetup/install/files/lib/action/AbstractOauth2Action.class.php
+++ b/wcfsetup/install/files/lib/action/AbstractOauth2Action.class.php
@@ -122,17 +122,19 @@ abstract class AbstractOauth2Action extends AbstractAction
      */
     protected function validateState()
     {
-        if (!isset($_GET['state'])) {
-            throw new StateValidationException('Missing state parameter');
-        }
-        if (!($sessionState = WCF::getSession()->getVar(self::STATE))) {
-            throw new StateValidationException('Missing state in session');
-        }
-        if (!\hash_equals($sessionState, (string)$_GET['state'])) {
-            throw new StateValidationException('Mismatching state');
+        try {
+            if (!isset($_GET['state'])) {
+                throw new StateValidationException('Missing state parameter');
+            }
+            if (!($sessionState = WCF::getSession()->getVar(self::STATE))) {
+                throw new StateValidationException('Missing state in session');
+            }
+            if (!\hash_equals($sessionState, (string)$_GET['state'])) {
+                throw new StateValidationException('Mismatching state');
+            }
+        } finally {
+            WCF::getSession()->unregister(self::STATE);
         }
-
-        WCF::getSession()->unregister(self::STATE);
     }
 
     /**
-- 
2.20.1