changeset 5240:001908044d0d

mod_http_oauth2: Validate that redirect URIs are absolute
author Kim Alvefur <zash@zash.se>
date Sat, 11 Mar 2023 22:25:22 +0100
parents 8620a635106e
children 65892dd1d4ae
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 1 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sat Mar 11 22:30:58 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sat Mar 11 22:25:22 2023 +0100
@@ -602,7 +602,7 @@
 
 	for _, redirect_uri in ipairs(client_metadata.redirect_uris) do
 		local components = url.parse(redirect_uri);
-		if not components then
+		if not components or not components.scheme then
 			return oauth_error("invalid_request", "Invalid redirect URI.");
 		end
 	end