Mercurial > prosody-modules

changeset 5457:9156a4754466

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_http_oauth2: Reject relative redirect URIs Also prevents a nil scheme from causing trouble
author Kim Alvefur <zash@zash.se>
date Tue, 16 May 2023 22:16:39 +0200
parents 9008aea491bf
children 813fe4f76286
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 3 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue May 16 21:10:55 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue May 16 22:16:39 2023 +0200
@@ -807,6 +807,9 @@
 
 local function redirect_uri_allowed(redirect_uri, client_uri, app_type)
 	local uri = url.parse(redirect_uri);
+	if not uri.scheme then
+		return false; -- no relative URLs
+	end
 	if app_type == "native" then
 		return uri.scheme == "http" and loopbacks:contains(uri.host) or uri.scheme ~= "https";
 	elseif app_type == "web" then