Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5457:9156a4754466

mod_http_oauth2: Reject relative redirect URIs Also prevents a nil scheme from causing trouble
author Kim Alvefur <zash@zash.se>
date Tue, 16 May 2023 22:16:39 +0200
parent 5456:9008aea491bf
child 5458:813fe4f76286
comparison
equal deleted inserted replaced
5456:9008aea491bf 5457:9156a4754466
805 }; 805 };
806 } 806 }
807 807
808 local function redirect_uri_allowed(redirect_uri, client_uri, app_type) 808 local function redirect_uri_allowed(redirect_uri, client_uri, app_type)
809 local uri = url.parse(redirect_uri); 809 local uri = url.parse(redirect_uri);
810 if not uri.scheme then
811 return false; -- no relative URLs
812 end
810 if app_type == "native" then 813 if app_type == "native" then
811 return uri.scheme == "http" and loopbacks:contains(uri.host) or uri.scheme ~= "https"; 814 return uri.scheme == "http" and loopbacks:contains(uri.host) or uri.scheme ~= "https";
812 elseif app_type == "web" then 815 elseif app_type == "web" then
813 return uri.scheme == "https" and uri.host == client_uri.host; 816 return uri.scheme == "https" and uri.host == client_uri.host;
814 end 817 end