Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5956:97375a78d2b5
mod_http_oauth2: Reject URLs with 'userinfo' part (thanks mimi89999)
The LuaSocket parser supports these but they're deprecated without
replacement by RFC 3986
> Use of the format "user:password" in the userinfo field is deprecated
Allowing it in OAuth2 URLs is probably bad from a security perspective.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 29 Aug 2024 16:02:46 +0200 |
| parents | 46394b327d17 |
| children | e8bf46a7bb27 |
comparison
equal
deleted
inserted
replaced
| 5955:0616a6687d0c | 5956:97375a78d2b5 |
|---|---|
| 24 | 24 |
| 25 local function tmap(t) | 25 local function tmap(t) |
| 26 return function(k) | 26 return function(k) |
| 27 return t[k]; | 27 return t[k]; |
| 28 end | 28 end |
| 29 end | |
| 30 | |
| 31 local function strict_url_parse(urlstr) | |
| 32 local url_parts = url.parse(urlstr); | |
| 33 if not url_parts then return url_parts; end | |
| 34 if url_parts.userinfo then return false; end | |
| 35 return url_parts; | |
| 29 end | 36 end |
| 30 | 37 |
| 31 local function strict_formdecode(query) | 38 local function strict_formdecode(query) |
| 32 if not query then | 39 if not query then |
| 33 return nil; | 40 return nil; |
| 1359 props["policy_uri#" .. locale] = props["policy_uri"]; | 1366 props["policy_uri#" .. locale] = props["policy_uri"]; |
| 1360 end | 1367 end |
| 1361 end | 1368 end |
| 1362 | 1369 |
| 1363 local function redirect_uri_allowed(redirect_uri, client_uri, app_type) | 1370 local function redirect_uri_allowed(redirect_uri, client_uri, app_type) |
| 1364 local uri = url.parse(redirect_uri); | 1371 local uri = strict_url_parse(redirect_uri); |
| 1365 if not uri then | 1372 if not uri then |
| 1366 return false; | 1373 return false; |
| 1367 end | 1374 end |
| 1368 if not uri.scheme then | 1375 if not uri.scheme then |
| 1369 return false; -- no relative URLs | 1376 return false; -- no relative URLs |
| 1394 }; | 1401 }; |
| 1395 }; | 1402 }; |
| 1396 }); | 1403 }); |
| 1397 end | 1404 end |
| 1398 | 1405 |
| 1399 local client_uri = url.parse(client_metadata.client_uri); | 1406 local client_uri = strict_url_parse(client_metadata.client_uri); |
| 1400 if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then | 1407 if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then |
| 1401 return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri"); | 1408 return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri"); |
| 1402 end | 1409 end |
| 1403 | 1410 |
| 1404 if not client_metadata.application_type and redirect_uri_allowed(client_metadata.redirect_uris[1], client_uri, "native") then | 1411 if not client_metadata.application_type and redirect_uri_allowed(client_metadata.redirect_uris[1], client_uri, "native") then |