disallow empty state

AlexanderPavlenko · AlexanderPavlenko · commit cf7fc0023f5c · 2012-07-04T16:04:47.000+04:00
diff --git a/lib/omniauth/strategies/oauth2.rb b/lib/omniauth/strategies/oauth2.rb
@@ -63,7 +63,7 @@ def callback_phase
         if request.params['error'] || request.params['error_reason']
           raise CallbackError.new(request.params['error'], request.params['error_description'] || request.params['error_reason'], request.params['error_uri'])
         end
-        if request.params['state'] != session.delete('omniauth.state')
+        if request.params['state'].to_s.empty? || request.params['state'] != session.delete('omniauth.state')
           raise CallbackError.new(nil, :csrf_detected)
         end
 
