Escape provider name in oauth2 provider redirect (#12650)

6543 · zeripath · web-flow · commit 87f02d90cf4f · 2020-08-30T23:55:19.000+01:00
Signed-off-by: Andrew Thornton &lt;art27@cantab.net&gt;

Co-authored-by: Andrew Thornton &lt;art27@cantab.net&gt;
diff --git a/modules/auth/oauth2/oauth2.go b/modules/auth/oauth2/oauth2.go
@@ -6,6 +6,7 @@ package oauth2
 
 import (
 	"net/http"
+	"net/url"
 
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
@@ -119,7 +120,7 @@ func RemoveProvider(providerName string) {
 
 // used to create different types of goth providers
 func createProvider(providerName, providerType, clientID, clientSecret, openIDConnectAutoDiscoveryURL string, customURLMapping *CustomURLMapping) (goth.Provider, error) {
-	callbackURL := setting.AppURL + "user/oauth2/" + providerName + "/callback"
+	callbackURL := setting.AppURL + "user/oauth2/" + url.PathEscape(providerName) + "/callback"
 
 	var provider goth.Provider
 	var err error
