diff mod_http_oauth2/mod_http_oauth2.lua @ 5475:022733437fef

mod_http_oauth2: Validate redirect_uri before using it for error redirects To be extra sure that it is safe to use in redirects from this point on.
author Kim Alvefur <zash@zash.se>
date Thu, 18 May 2023 14:02:09 +0200
parents d0b93105b289
children 575f52b15f5a
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu May 18 13:41:23 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Thu May 18 14:02:09 2023 +0200
@@ -703,6 +703,11 @@
 		return render_error(oauth_error("invalid_request", "Invalid 'client_id' parameter"));
 	end
 
+	if not get_redirect_uri(client, params.redirect_uri) then
+		return render_error(oauth_error("invalid_request", "Invalid 'redirect_uri' parameter"));
+	end
+	-- From this point we know that redirect_uri is safe to use
+
 	local client_response_types = set.new(array(client.response_types or { "code" }));
 	client_response_types = set.intersection(client_response_types, allowed_response_type_handlers);
 	if not client_response_types:contains(params.response_type) then