Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5457:9156a4754466
mod_http_oauth2: Reject relative redirect URIs
Also prevents a nil scheme from causing trouble
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 16 May 2023 22:16:39 +0200 |
| parents | 9008aea491bf |
| children | 813fe4f76286 |
comparison
equal
deleted
inserted
replaced
| 5456:9008aea491bf | 5457:9156a4754466 |
|---|---|
| 805 }; | 805 }; |
| 806 } | 806 } |
| 807 | 807 |
| 808 local function redirect_uri_allowed(redirect_uri, client_uri, app_type) | 808 local function redirect_uri_allowed(redirect_uri, client_uri, app_type) |
| 809 local uri = url.parse(redirect_uri); | 809 local uri = url.parse(redirect_uri); |
| 810 if not uri.scheme then | |
| 811 return false; -- no relative URLs | |
| 812 end | |
| 810 if app_type == "native" then | 813 if app_type == "native" then |
| 811 return uri.scheme == "http" and loopbacks:contains(uri.host) or uri.scheme ~= "https"; | 814 return uri.scheme == "http" and loopbacks:contains(uri.host) or uri.scheme ~= "https"; |
| 812 elseif app_type == "web" then | 815 elseif app_type == "web" then |
| 813 return uri.scheme == "https" and uri.host == client_uri.host; | 816 return uri.scheme == "https" and uri.host == client_uri.host; |
| 814 end | 817 end |