mod_http_oauth2: Validate that redirect URIs are absolute
authorKim Alvefur <zash@zash.se>
Sat, 11 Mar 2023 22:25:22 +0100
changeset 5244 001908044d0d
parent 5243 8620a635106e
child 5245 65892dd1d4ae
mod_http_oauth2: Validate that redirect URIs are absolute
mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sat Mar 11 22:30:58 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sat Mar 11 22:25:22 2023 +0100
@@ -602,7 +602,7 @@
 
 	for _, redirect_uri in ipairs(client_metadata.redirect_uris) do
 		local components = url.parse(redirect_uri);
-		if not components then
+		if not components or not components.scheme then
 			return oauth_error("invalid_request", "Invalid redirect URI.");
 		end
 	end