# HG changeset patch # User Kim Alvefur # Date 1678570262 -3600 # Node ID 4746609a66564e3d1abddf3db485faae47c0c0e0 # Parent 65892dd1d4ae040885068a15b10647efb85acd6e mod_http_oauth2: Validate that informative URLs match the redirect URIs It is a bit shady to have the various URIs (URLs really) point to different hostnames. This may be quite stricter than required, but can always be relaxed later. diff -r 65892dd1d4ae -r 4746609a6656 mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Sat Mar 11 22:25:50 2023 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sat Mar 11 22:31:02 2023 +0100 @@ -600,12 +600,27 @@ return oauth_error("invalid_request", "Failed schema validation."); end + local redirect_hosts = set.new(); for _, redirect_uri in ipairs(client_metadata.redirect_uris) do local components = url.parse(redirect_uri); if not components or not components.scheme then return oauth_error("invalid_request", "Invalid redirect URI."); elseif components.scheme == "http" and components.host ~= "localhost" then return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)"); + elseif components.scheme == "https" then + redirect_hosts:add(components.host); + end + end + + for field, prop_schema in pairs(registration_schema) do + if prop_schema.format == "uri" and client_metadata[field] then + local components = url.parse(client_metadata[field]); + if components.scheme ~= "https" then + return oauth_error("invalid_request", "Insecure URI forbidden"); + end + if not redirect_hosts:contains(components.host) then + return oauth_error("invalid_request", "Informative URI must match redirect URIs"); + end end end