Bug #13740
openWt::Auth::OAuthRedirectEndpoint: possible concurrency issues
100%
Description
Normally, each Wt::Auth::OAuthRedirectEndpoint object will not receive multiple requests simultaneously. However, in rare cases (e.g. in case of connectivity issues), multiple redirects may be received simultaneously. This may result in a crash, as the Wt::Auth::OAuthRedirectEndpoint::handleRequest does not seem to be implemented in a thread safe manner. E.g. handleRequest calls OAuthProcess::requestToken, which destructed the previous Http::Client. Hence, while one thread is still executing the Http::Client::post method, another thread may already destruct the client.
Possible solutions
- Use proper locking while accessing the
OAuthProcessobject. - Use
setTakesUpdateLockto avoid concurrency issues. In the non-popup mode, this should be reasonable, but in case of a popup is used, locking the application may be undesired.
Updated by Matthias Van Ceulebroeck 6 months ago
- Target version set to 4.12.2
Thanks for the submission, Dries.
I indeed think me way require a custom lock, not the WApplication::UpdateLock, as blocking the UI for a prolonged amount of time may not be desired.
Updated by Romain Mardulyn 5 months ago
- Status changed from New to InProgress
- Assignee set to Romain Mardulyn
Updated by Romain Mardulyn 5 months ago
- Status changed from InProgress to Review
- Assignee deleted (
Romain Mardulyn)
Updated by Matthias Van Ceulebroeck 19 days ago
- Assignee set to Matthias Van Ceulebroeck
Updated by Matthias Van Ceulebroeck 14 days ago
- Status changed from Review to Implemented @Emweb
- Assignee changed from Matthias Van Ceulebroeck to Romain Mardulyn
- % Done changed from 0 to 100