mod_http_oauth2: Reject relative redirect URIs
Also prevents a nil scheme from causing trouble
--- a/mod_http_oauth2/mod_http_oauth2.lua Tue May 16 21:10:55 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua Tue May 16 22:16:39 2023 +0200
@@ -807,6 +807,9 @@
local function redirect_uri_allowed(redirect_uri, client_uri, app_type)
local uri = url.parse(redirect_uri);
+ if not uri.scheme then
+ return false; -- no relative URLs
+ end
if app_type == "native" then
return uri.scheme == "http" and loopbacks:contains(uri.host) or uri.scheme ~= "https";
elseif app_type == "web" then