Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5767:a967bb4972c5
mod_http_oauth2: Reject unparsable URLs
This used to be caught by luaPattern=https:// in the schema but that's
been removed for some reason
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 03 Dec 2023 23:51:54 +0100 |
| parents | b8a2b3ebe792 |
| children | 990c6adc4407 |
comparison
equal
deleted
inserted
replaced
| 5766:b8a2b3ebe792 | 5767:a967bb4972c5 |
|---|---|
| 1331 end | 1331 end |
| 1332 end | 1332 end |
| 1333 | 1333 |
| 1334 local function redirect_uri_allowed(redirect_uri, client_uri, app_type) | 1334 local function redirect_uri_allowed(redirect_uri, client_uri, app_type) |
| 1335 local uri = url.parse(redirect_uri); | 1335 local uri = url.parse(redirect_uri); |
| 1336 if not uri then | |
| 1337 return false; | |
| 1338 end | |
| 1336 if not uri.scheme then | 1339 if not uri.scheme then |
| 1337 return false; -- no relative URLs | 1340 return false; -- no relative URLs |
| 1338 end | 1341 end |
| 1339 if app_type == "native" then | 1342 if app_type == "native" then |
| 1340 return uri.scheme == "http" and loopbacks:contains(uri.host) or redirect_uri == oob_uri or uri.scheme:find(".", 1, true) ~= nil; | 1343 return uri.scheme == "http" and loopbacks:contains(uri.host) or redirect_uri == oob_uri or uri.scheme:find(".", 1, true) ~= nil; |