# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1724940166 -7200
# Node ID 97375a78d2b58c649ef6669c864fa5920cf4794c
# Parent  0616a6687d0ce2bf7c54dc3ece9913afbe092f69
mod_http_oauth2: Reject URLs with 'userinfo' part (thanks mimi89999)

The LuaSocket parser supports these but they're deprecated without
replacement by RFC 3986

> Use of the format "user:password" in the userinfo field is deprecated

Allowing it in OAuth2 URLs is probably bad from a security perspective.

diff -r 0616a6687d0c -r 97375a78d2b5 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Mon Aug 19 20:17:52 2024 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Thu Aug 29 16:02:46 2024 +0200
@@ -28,6 +28,13 @@
 	end
 end
 
+local function strict_url_parse(urlstr)
+	local url_parts = url.parse(urlstr);
+	if not url_parts then return url_parts; end
+	if url_parts.userinfo then return false; end
+	return url_parts;
+end
+
 local function strict_formdecode(query)
 	if not query then
 		return nil;
@@ -1361,7 +1368,7 @@
 end
 
 local function redirect_uri_allowed(redirect_uri, client_uri, app_type)
-	local uri = url.parse(redirect_uri);
+	local uri = strict_url_parse(redirect_uri);
 	if not uri then
 		return false;
 	end
@@ -1396,7 +1403,7 @@
 		});
 	end
 
-	local client_uri = url.parse(client_metadata.client_uri);
+	local client_uri = strict_url_parse(client_metadata.client_uri);
 	if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then
 		return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri");
 	end