| changeset 5461 | 9156a4754466 |
| parent 5460 | 9008aea491bf |
| child 5462 | 813fe4f76286 |
--- a/mod_http_oauth2/mod_http_oauth2.lua Tue May 16 21:10:55 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Tue May 16 22:16:39 2023 +0200 @@ -807,6 +807,9 @@ local function redirect_uri_allowed(redirect_uri, client_uri, app_type) local uri = url.parse(redirect_uri); + if not uri.scheme then + return false; -- no relative URLs + end if app_type == "native" then return uri.scheme == "http" and loopbacks:contains(uri.host) or uri.scheme ~= "https"; elseif app_type == "web" then