Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5475:022733437fef

mod_http_oauth2: Validate redirect_uri before using it for error redirects To be extra sure that it is safe to use in redirects from this point on.
author Kim Alvefur <zash@zash.se>
date Thu, 18 May 2023 14:02:09 +0200
parent 5474:d0b93105b289
child 5476:575f52b15f5a
comparison
equal deleted inserted replaced
5474:d0b93105b289 5475:022733437fef
700 local ok, client = verify_client(params.client_id); 700 local ok, client = verify_client(params.client_id);
701 701
702 if not ok then 702 if not ok then
703 return render_error(oauth_error("invalid_request", "Invalid 'client_id' parameter")); 703 return render_error(oauth_error("invalid_request", "Invalid 'client_id' parameter"));
704 end 704 end
705
706 if not get_redirect_uri(client, params.redirect_uri) then
707 return render_error(oauth_error("invalid_request", "Invalid 'redirect_uri' parameter"));
708 end
709 -- From this point we know that redirect_uri is safe to use
705 710
706 local client_response_types = set.new(array(client.response_types or { "code" })); 711 local client_response_types = set.new(array(client.response_types or { "code" }));
707 client_response_types = set.intersection(client_response_types, allowed_response_type_handlers); 712 client_response_types = set.intersection(client_response_types, allowed_response_type_handlers);
708 if not client_response_types:contains(params.response_type) then 713 if not client_response_types:contains(params.response_type) then
709 return error_response(request, oauth_error("invalid_client", "'response_type' not allowed")); 714 return error_response(request, oauth_error("invalid_client", "'response_type' not allowed"));