Software /
code /
prosody-modules
Diff
mod_http_oauth2/mod_http_oauth2.lua @ 5241:65892dd1d4ae
mod_http_oauth2: Reject insecure redirect URIs
Is this enough, or are they going to be using ftp:// and gopher://?
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sat, 11 Mar 2023 22:25:50 +0100 |
parent | 5240:001908044d0d |
child | 5242:4746609a6656 |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Sat Mar 11 22:25:22 2023 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sat Mar 11 22:25:50 2023 +0100 @@ -604,6 +604,8 @@ local components = url.parse(redirect_uri); if not components or not components.scheme then return oauth_error("invalid_request", "Invalid redirect URI."); + elseif components.scheme == "http" and components.host ~= "localhost" then + return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)"); end end