Changeset

5458:813fe4f76286

mod_http_oauth2: Do minimal validation of private-use URI schemes Per draft-ietf-oauth-v2-1-08#section-2.3.1 > At a minimum, any private-use URI scheme that doesn't contain a period > character (.) SHOULD be rejected. Since this would rule out the OOB URI, which is useful for CLI tools and such without a built-in http server, it is explicitly allowed.
author Kim Alvefur <zash@zash.se>
date Tue, 16 May 2023 22:18:12 +0200
parents 5457:9156a4754466
children 5459:260a859be86a
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 7 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue May 16 22:16:39 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue May 16 22:18:12 2023 +0200
@@ -174,6 +174,11 @@
 	return (module:http_url(nil, "/"):gsub("/$", ""));
 end
 
+-- Non-standard special redirect URI that has the AS show the authorization
+-- code to the user for them to copy-paste into the client, which can then
+-- continue as if it received it via redirect.
+local oob_uri = "urn:ietf:wg:oauth:2.0:oob";
+
 local loopbacks = set.new({ "localhost", "127.0.0.1", "::1" });
 local function is_secure_redirect(uri)
 	local u = url.parse(uri);
@@ -295,7 +300,7 @@
 	end
 
 	local redirect_uri = get_redirect_uri(client, params.redirect_uri);
-	if redirect_uri == "urn:ietf:wg:oauth:2.0:oob" then
+	if redirect_uri == oob_uri then
 		-- TODO some nicer template page
 		-- mod_http_errors will set content-type to text/html if it catches this
 		-- event, if not text/plain is kept for the fallback text.
@@ -811,7 +816,7 @@
 		return false; -- no relative URLs
 	end
 	if app_type == "native" then
-		return uri.scheme == "http" and loopbacks:contains(uri.host) or uri.scheme ~= "https";
+		return uri.scheme == "http" and loopbacks:contains(uri.host) or redirect_uri == oob_uri or uri.scheme:find(".", 1, true) ~= nil;
 	elseif app_type == "web" then
 		return uri.scheme == "https" and uri.host == client_uri.host;
 	end