# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1684411329 -7200
# Node ID 022733437fef55573a8964dd2f81eb1f22be00e2
# Parent  d0b93105b2896a3ee920d9c27d35c092ffb39b3b
mod_http_oauth2: Validate redirect_uri before using it for error redirects

To be extra sure that it is safe to use in redirects from this point on.

diff -r d0b93105b289 -r 022733437fef mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu May 18 13:41:23 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Thu May 18 14:02:09 2023 +0200
@@ -703,6 +703,11 @@
 		return render_error(oauth_error("invalid_request", "Invalid 'client_id' parameter"));
 	end
 
+	if not get_redirect_uri(client, params.redirect_uri) then
+		return render_error(oauth_error("invalid_request", "Invalid 'redirect_uri' parameter"));
+	end
+	-- From this point we know that redirect_uri is safe to use
+
 	local client_response_types = set.new(array(client.response_types or { "code" }));
 	client_response_types = set.intersection(client_response_types, allowed_response_type_handlers);
 	if not client_response_types:contains(params.response_type) then