Mercurial > prosody-modules

changeset 5958:5f8a306c8306

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_http_oauth2: Require a stringprepped host part of URLs
author Kim Alvefur <zash@zash.se>
date Sat, 31 Aug 2024 13:30:55 +0200
parents e8bf46a7bb27
children 111eeffb6adf
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 9 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu Aug 29 18:03:23 2024 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sat Aug 31 13:30:55 2024 +0200
@@ -38,6 +38,14 @@
 		if not (port > 0 and port <= 0xffff) then return false; end
 		if port ~= math.floor(port) then return false; end
 	end
+	if url_parts.host then
+		if encodings.stringprep.nameprep(url_parts.host) ~= url_parts.host then
+			return false;
+		end
+		if not encodings.idna.to_ascii(url_parts) then
+			return false;
+		end
+	end
 	return url_parts;
 end
 
@@ -1410,7 +1418,7 @@
 	end
 
 	local client_uri = strict_url_parse(client_metadata.client_uri);
-	if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then
+	if not client_uri or client_uri.scheme ~= "https" or not client_uri.host or loopbacks:contains(client_uri.host) then
 		return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri");
 	end