Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5475:022733437fef
mod_http_oauth2: Validate redirect_uri before using it for error redirects
To be extra sure that it is safe to use in redirects from this point on.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 18 May 2023 14:02:09 +0200 |
| parents | d0b93105b289 |
| children | 575f52b15f5a |
comparison
equal
deleted
inserted
replaced
| 5474:d0b93105b289 | 5475:022733437fef |
|---|---|
| 700 local ok, client = verify_client(params.client_id); | 700 local ok, client = verify_client(params.client_id); |
| 701 | 701 |
| 702 if not ok then | 702 if not ok then |
| 703 return render_error(oauth_error("invalid_request", "Invalid 'client_id' parameter")); | 703 return render_error(oauth_error("invalid_request", "Invalid 'client_id' parameter")); |
| 704 end | 704 end |
| 705 | |
| 706 if not get_redirect_uri(client, params.redirect_uri) then | |
| 707 return render_error(oauth_error("invalid_request", "Invalid 'redirect_uri' parameter")); | |
| 708 end | |
| 709 -- From this point we know that redirect_uri is safe to use | |
| 705 | 710 |
| 706 local client_response_types = set.new(array(client.response_types or { "code" })); | 711 local client_response_types = set.new(array(client.response_types or { "code" })); |
| 707 client_response_types = set.intersection(client_response_types, allowed_response_type_handlers); | 712 client_response_types = set.intersection(client_response_types, allowed_response_type_handlers); |
| 708 if not client_response_types:contains(params.response_type) then | 713 if not client_response_types:contains(params.response_type) then |
| 709 return error_response(request, oauth_error("invalid_client", "'response_type' not allowed")); | 714 return error_response(request, oauth_error("invalid_client", "'response_type' not allowed")); |