Mercurial Mercurial > prosody > prosody-modules / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_http_oauth2: Reject loopback URIs as client_uri
authorKim Alvefur <zash@zash.se>
Tue, 02 May 2023 16:20:55 +0200
changeset 5405 c8d04ac200fc
parent 5404 71766a4a7322
child 5406 fbf3ede7541b
mod_http_oauth2: Reject loopback URIs as client_uri This really should be a proper website with info, https://localhost is not good enough. Ideally we'd validate that it's got proper DNS and is actually reachable, but triggering HTTP or even DNS lookups seems like it would carry abuse potential that would best to avoid.
mod_http_oauth2/mod_http_oauth2.lua file | annotate | diff | comparison | revisions 
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue May 02 16:14:22 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue May 02 16:20:55 2023 +0200
@@ -754,7 +754,7 @@
 	end
 
 	local client_uri = url.parse(client_metadata.client_uri);
-	if not client_uri or client_uri.scheme ~= "https" then
+	if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then
 		return nil, oauth_error("invalid_request", "Missing, invalid or insecure client_uri");
 	end
prosody-modules