Mercurial > prosody-modules
diff mod_http_oauth2/mod_http_oauth2.lua @ 5241:65892dd1d4ae
mod_http_oauth2: Reject insecure redirect URIs
Is this enough, or are they going to be using ftp:// and gopher://?
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sat, 11 Mar 2023 22:25:50 +0100 |
parents | 001908044d0d |
children | 4746609a6656 |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Sat Mar 11 22:25:22 2023 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sat Mar 11 22:25:50 2023 +0100 @@ -604,6 +604,8 @@ local components = url.parse(redirect_uri); if not components or not components.scheme then return oauth_error("invalid_request", "Invalid redirect URI."); + elseif components.scheme == "http" and components.host ~= "localhost" then + return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)"); end end