Bug #13740
openWt::Auth::OAuthRedirectEndpoint: possible concurrency issues
0%
Description
Normally, each Wt::Auth::OAuthRedirectEndpoint object will not receive multiple requests simultaneously. However, in rare cases (e.g. in case of connectivity issues), multiple redirects may be received simultaneously. This may result in a crash, as the Wt::Auth::OAuthRedirectEndpoint::handleRequest does not seem to be implemented in a thread safe manner. E.g. handleRequest calls OAuthProcess::requestToken, which destructed the previous Http::Client. Hence, while one thread is still executing the Http::Client::post method, another thread may already destruct the client.
Possible solutions
- Use proper locking while accessing the
OAuthProcessobject. - Use
setTakesUpdateLockto avoid concurrency issues. In the non-popup mode, this should be reasonable, but in case of a popup is used, locking the application may be undesired.
Updated by Matthias Van Ceulebroeck about 1 month ago
- Target version set to 4.12.2
Thanks for the submission, Dries.
I indeed think me way require a custom lock, not the WApplication::UpdateLock, as blocking the UI for a prolonged amount of time may not be desired.
Updated by Romain Mardulyn 18 days ago
- Status changed from New to InProgress
- Assignee set to Romain Mardulyn
Updated by Romain Mardulyn 12 days ago
- Status changed from InProgress to Review
- Assignee deleted (
Romain Mardulyn)