Mercurial > prosody-modules
changeset 5394:434ee49b04de
mod_http_oauth2: Allow loopback IP literals in redirect URIs
Previously only exactly "http://localhost" was allowed, but RFC 8252
seems to recommend both ::1 and 127.0.0.1 be allowed.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 30 Apr 2023 17:16:47 +0200 (19 months ago) |
parents | 9b9d612f9083 |
children | 82207f936f1f |
files | mod_http_oauth2/mod_http_oauth2.lua |
diffstat | 1 files changed, 1 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Sun Apr 30 16:58:53 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sun Apr 30 17:16:47 2023 +0200 @@ -729,7 +729,7 @@ local function redirect_uri_allowed(redirect_uri, client_uri, app_type) local uri = url.parse(redirect_uri); if app_type == "native" then - return uri.scheme == "http" and uri.host == "localhost" or uri.scheme ~= "https"; + return uri.scheme == "http" and loopbacks:contains(uri.host) or uri.scheme ~= "https"; elseif app_type == "web" then return uri.scheme == "https" and uri.host == client_uri.host; end