Project

General

Profile

Actions
Copy link

Bug #13740

open

Wt::Auth::OAuthRedirectEndpoint: possible concurrency issues

Added by Dries Mys 15 days ago. Updated 10 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
4.12.2
Start date:
05/15/2025
Due date:
% Done:

0%

Estimated time:

Description

Normally, each Wt::Auth::OAuthRedirectEndpoint object will not receive multiple requests simultaneously. However, in rare cases (e.g. in case of connectivity issues), multiple redirects may be received simultaneously. This may result in a crash, as the Wt::Auth::OAuthRedirectEndpoint::handleRequest does not seem to be implemented in a thread safe manner. E.g. handleRequest calls OAuthProcess::requestToken, which destructed the previous Http::Client. Hence, while one thread is still executing the Http::Client::post method, another thread may already destruct the client.

Possible solutions

  • Use proper locking while accessing the OAuthProcess object.
  • Use setTakesUpdateLock to avoid concurrency issues. In the non-popup mode, this should be reasonable, but in case of a popup is used, locking the application may be undesired.
Actions
Copy link
 #1

Updated by Matthias Van Ceulebroeck 10 days ago

  • Target version set to 4.12.2

Thanks for the submission, Dries.

I indeed think me way require a custom lock, not the WApplication::UpdateLock, as blocking the UI for a prolonged amount of time may not be desired.

Actions
Copy link

Also available in: Atom PDF