From 58f57b3b6cb47cad23a94f92c625d0ac5832c350 Mon Sep 17 00:00:00 2001 From: zeripath Date: Sun, 30 Aug 2020 23:55:01 +0100 Subject: [PATCH] Escape provider name in oauth2 provider redirect (#12648) Signed-off-by: Andrew Thornton Co-authored-by: Lauris BH --- modules/auth/oauth2/oauth2.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/auth/oauth2/oauth2.go b/modules/auth/oauth2/oauth2.go index 78be3954e..2c982e1dc 100644 --- a/modules/auth/oauth2/oauth2.go +++ b/modules/auth/oauth2/oauth2.go @@ -6,6 +6,7 @@ package oauth2 import ( "net/http" + "net/url" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/setting" @@ -119,7 +120,7 @@ func RemoveProvider(providerName string) { // used to create different types of goth providers func createProvider(providerName, providerType, clientID, clientSecret, openIDConnectAutoDiscoveryURL string, customURLMapping *CustomURLMapping) (goth.Provider, error) { - callbackURL := setting.AppURL + "user/oauth2/" + providerName + "/callback" + callbackURL := setting.AppURL + "user/oauth2/" + url.PathEscape(providerName) + "/callback" var provider goth.Provider var err error