changeset 5241:65892dd1d4ae

mod_http_oauth2: Reject insecure redirect URIs Is this enough, or are they going to be using ftp:// and gopher://?
author Kim Alvefur <zash@zash.se>
date Sat, 11 Mar 2023 22:25:50 +0100 (21 months ago)
parents 001908044d0d
children 4746609a6656
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 2 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sat Mar 11 22:25:22 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sat Mar 11 22:25:50 2023 +0100
@@ -604,6 +604,8 @@
 		local components = url.parse(redirect_uri);
 		if not components or not components.scheme then
 			return oauth_error("invalid_request", "Invalid redirect URI.");
+		elseif components.scheme == "http" and components.host ~= "localhost" then
+			return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)");
 		end
 	end