# HG changeset patch # User Kim Alvefur # Date 1684268292 -7200 # Node ID 813fe4f76286b229aa309f080e85595a929de118 # Parent 9156a4754466dcfe2c17334f6e522d21a10f0f57 mod_http_oauth2: Do minimal validation of private-use URI schemes Per draft-ietf-oauth-v2-1-08#section-2.3.1 > At a minimum, any private-use URI scheme that doesn't contain a period > character (.) SHOULD be rejected. Since this would rule out the OOB URI, which is useful for CLI tools and such without a built-in http server, it is explicitly allowed. diff -r 9156a4754466 -r 813fe4f76286 mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Tue May 16 22:16:39 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Tue May 16 22:18:12 2023 +0200 @@ -174,6 +174,11 @@ return (module:http_url(nil, "/"):gsub("/$", "")); end +-- Non-standard special redirect URI that has the AS show the authorization +-- code to the user for them to copy-paste into the client, which can then +-- continue as if it received it via redirect. +local oob_uri = "urn:ietf:wg:oauth:2.0:oob"; + local loopbacks = set.new({ "localhost", "127.0.0.1", "::1" }); local function is_secure_redirect(uri) local u = url.parse(uri); @@ -295,7 +300,7 @@ end local redirect_uri = get_redirect_uri(client, params.redirect_uri); - if redirect_uri == "urn:ietf:wg:oauth:2.0:oob" then + if redirect_uri == oob_uri then -- TODO some nicer template page -- mod_http_errors will set content-type to text/html if it catches this -- event, if not text/plain is kept for the fallback text. @@ -811,7 +816,7 @@ return false; -- no relative URLs end if app_type == "native" then - return uri.scheme == "http" and loopbacks:contains(uri.host) or uri.scheme ~= "https"; + return uri.scheme == "http" and loopbacks:contains(uri.host) or redirect_uri == oob_uri or uri.scheme:find(".", 1, true) ~= nil; elseif app_type == "web" then return uri.scheme == "https" and uri.host == client_uri.host; end