# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1725103855 -7200
# Node ID 5f8a306c830613d72c91a8ea903f81624fa82229
# Parent  e8bf46a7bb27e9ee864b612eeadf82dfae2db112
mod_http_oauth2: Require a stringprepped host part of URLs

diff -r e8bf46a7bb27 -r 5f8a306c8306 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu Aug 29 18:03:23 2024 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sat Aug 31 13:30:55 2024 +0200
@@ -38,6 +38,14 @@
 		if not (port > 0 and port <= 0xffff) then return false; end
 		if port ~= math.floor(port) then return false; end
 	end
+	if url_parts.host then
+		if encodings.stringprep.nameprep(url_parts.host) ~= url_parts.host then
+			return false;
+		end
+		if not encodings.idna.to_ascii(url_parts) then
+			return false;
+		end
+	end
 	return url_parts;
 end
 
@@ -1410,7 +1418,7 @@
 	end
 
 	local client_uri = strict_url_parse(client_metadata.client_uri);
-	if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then
+	if not client_uri or client_uri.scheme ~= "https" or not client_uri.host or loopbacks:contains(client_uri.host) then
 		return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri");
 	end