mod_http_oauth2: Reject unparsable URLs
This used to be caught by luaPattern=https:// in the schema but that's
been removed for some reason
--- a/mod_http_oauth2/mod_http_oauth2.lua Sun Dec 03 23:44:18 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua Sun Dec 03 23:51:54 2023 +0100
@@ -1333,6 +1333,9 @@
local function redirect_uri_allowed(redirect_uri, client_uri, app_type)
local uri = url.parse(redirect_uri);
+ if not uri then
+ return false;
+ end
if not uri.scheme then
return false; -- no relative URLs
end