changeset 5956:97375a78d2b5

mod_http_oauth2: Reject URLs with 'userinfo' part (thanks mimi89999) The LuaSocket parser supports these but they're deprecated without replacement by RFC 3986 > Use of the format "user:password" in the userinfo field is deprecated Allowing it in OAuth2 URLs is probably bad from a security perspective.
author Kim Alvefur <zash@zash.se>
date Thu, 29 Aug 2024 16:02:46 +0200
parents 0616a6687d0c
children e8bf46a7bb27
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 9 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Mon Aug 19 20:17:52 2024 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Thu Aug 29 16:02:46 2024 +0200
@@ -28,6 +28,13 @@
 	end
 end
 
+local function strict_url_parse(urlstr)
+	local url_parts = url.parse(urlstr);
+	if not url_parts then return url_parts; end
+	if url_parts.userinfo then return false; end
+	return url_parts;
+end
+
 local function strict_formdecode(query)
 	if not query then
 		return nil;
@@ -1361,7 +1368,7 @@
 end
 
 local function redirect_uri_allowed(redirect_uri, client_uri, app_type)
-	local uri = url.parse(redirect_uri);
+	local uri = strict_url_parse(redirect_uri);
 	if not uri then
 		return false;
 	end
@@ -1396,7 +1403,7 @@
 		});
 	end
 
-	local client_uri = url.parse(client_metadata.client_uri);
+	local client_uri = strict_url_parse(client_metadata.client_uri);
 	if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then
 		return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri");
 	end