Mercurial > prosody-modules
changeset 5956:97375a78d2b5
mod_http_oauth2: Reject URLs with 'userinfo' part (thanks mimi89999)
The LuaSocket parser supports these but they're deprecated without
replacement by RFC 3986
> Use of the format "user:password" in the userinfo field is deprecated
Allowing it in OAuth2 URLs is probably bad from a security perspective.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 29 Aug 2024 16:02:46 +0200 |
| parents | 0616a6687d0c |
| children | e8bf46a7bb27 |
| files | mod_http_oauth2/mod_http_oauth2.lua |
| diffstat | 1 files changed, 9 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Mon Aug 19 20:17:52 2024 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Thu Aug 29 16:02:46 2024 +0200 @@ -28,6 +28,13 @@ end end +local function strict_url_parse(urlstr) + local url_parts = url.parse(urlstr); + if not url_parts then return url_parts; end + if url_parts.userinfo then return false; end + return url_parts; +end + local function strict_formdecode(query) if not query then return nil; @@ -1361,7 +1368,7 @@ end local function redirect_uri_allowed(redirect_uri, client_uri, app_type) - local uri = url.parse(redirect_uri); + local uri = strict_url_parse(redirect_uri); if not uri then return false; end @@ -1396,7 +1403,7 @@ }); end - local client_uri = url.parse(client_metadata.client_uri); + local client_uri = strict_url_parse(client_metadata.client_uri); if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri"); end