Added whitelist to OAuth consumer callback URLs to allow custom URL s…

…cheme (#3774)
OpenMage · Feb 8, 2024 · bc8f9ec · bc8f9ec
1 parent 0f15166
commit bc8f9ec
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 27 deletions.
diff --git a/app/code/core/Mage/Oauth/Block/Adminhtml/Oauth/Consumer/Edit/Form.php b/app/code/core/Mage/Oauth/Block/Adminhtml/Oauth/Consumer/Edit/Form.php
@@ -92,7 +92,6 @@ protected function _prepareForm()
             'title'     => Mage::helper('oauth')->__('Callback URL'),
             'required'  => false,
             'value'     => $model->getCallbackUrl(),
-            'class'     => 'validate-url',
         ]);
 
         $fieldset->addField('rejected_callback_url', 'text', [
@@ -101,7 +100,6 @@ protected function _prepareForm()
             'title'     => Mage::helper('oauth')->__('Rejected Callback URL'),
             'required'  => false,
             'value'     => $model->getRejectedCallbackUrl(),
-            'class'     => 'validate-url',
         ]);
 
         $fieldset->addField(

diff --git a/app/code/core/Mage/Oauth/Model/Consumer.php b/app/code/core/Mage/Oauth/Model/Consumer.php
@@ -65,6 +65,8 @@ protected function _beforeSave()
         if (!$this->getId()) {
             $this->setUpdatedAt(time());
         }
+        $this->setCallbackUrl(trim($this->getCallbackUrl()));
+        $this->setRejectedCallbackUrl(trim($this->getRejectedCallbackUrl()));
         $this->validate();
         parent::_beforeSave();
         return $this;
@@ -73,26 +75,11 @@ protected function _beforeSave()
     /**
      * Validate data
      *
-     * @return array|bool
+     * @return bool
      * @throw Mage_Core_Exception|Exception   Throw exception on fail validation
      */
     public function validate()
     {
-        if ($this->getCallbackUrl() || $this->getRejectedCallbackUrl()) {
-            $this->setCallbackUrl(trim($this->getCallbackUrl()));
-            $this->setRejectedCallbackUrl(trim($this->getRejectedCallbackUrl()));
-
-            /** @var Mage_Core_Model_Url_Validator $validatorUrl */
-            $validatorUrl = Mage::getSingleton('core/url_validator');
-
-            if ($this->getCallbackUrl() && !$validatorUrl->isValid($this->getCallbackUrl())) {
-                Mage::throwException(Mage::helper('oauth')->__('Invalid Callback URL'));
-            }
-            if ($this->getRejectedCallbackUrl() && !$validatorUrl->isValid($this->getRejectedCallbackUrl())) {
-                Mage::throwException(Mage::helper('oauth')->__('Invalid Rejected Callback URL'));
-            }
-        }
-
         /** @var Mage_Oauth_Model_Consumer_Validator_KeyLength $validatorLength */
         $validatorLength = Mage::getModel('oauth/consumer_validator_keyLength', ['length' => self::KEY_LENGTH]);
 

diff --git a/app/code/core/Mage/Oauth/Model/Server.php b/app/code/core/Mage/Oauth/Model/Server.php
@@ -432,7 +432,12 @@ protected function _validateCallbackUrlParam()
         if (!is_string($this->_protocolParams['oauth_callback'])) {
             $this->_throwException('oauth_callback', self::ERR_PARAMETER_REJECTED);
         }
-        if (self::CALLBACK_ESTABLISHED != $this->_protocolParams['oauth_callback']
+        // Is the callback URL whitelisted?
+        $callbackUrl = $this->_consumer->getCallbackUrl();
+        if ($callbackUrl && strpos($this->_protocolParams['oauth_callback'], $callbackUrl) === 0) {
+            return;
+        }
+        if (self::CALLBACK_ESTABLISHED !== $this->_protocolParams['oauth_callback']
             && !Zend_Uri::check($this->_protocolParams['oauth_callback'])
         ) {
             $this->_throwException('oauth_callback', self::ERR_PARAMETER_REJECTED);

diff --git a/app/code/core/Mage/Oauth/Model/Token.php b/app/code/core/Mage/Oauth/Model/Token.php
@@ -220,18 +220,19 @@ protected function _beforeSave()
     /**
      * Validate data
      *
-     * @return array|bool
+     * @return bool
      * @throw Mage_Core_Exception|Exception   Throw exception on fail validation
      */
     public function validate()
     {
-        /** @var Mage_Core_Model_Url_Validator $validatorUrl */
-        $validatorUrl = Mage::getSingleton('core/url_validator');
-        if (Mage_Oauth_Model_Server::CALLBACK_ESTABLISHED != $this->getCallbackUrl()
-            && !$validatorUrl->isValid($this->getCallbackUrl())
-        ) {
-            $messages = $validatorUrl->getMessages();
-            Mage::throwException(array_shift($messages));
+        if (Mage_Oauth_Model_Server::CALLBACK_ESTABLISHED !== $this->getCallbackUrl()) {
+            $callbackUrl = $this->getConsumer()->getCallbackUrl();
+            $isWhitelisted = $callbackUrl && strpos($this->getCallbackUrl(), $callbackUrl) === 0;
+            $validatorUrl = Mage::getSingleton('core/url_validator');
+            if (!$isWhitelisted && !$validatorUrl->isValid($this->getCallbackUrl())) {
+                $messages = $validatorUrl->getMessages();
+                Mage::throwException(array_shift($messages));
+            }
         }
 
         /** @var Mage_Oauth_Model_Consumer_Validator_KeyLength $validatorLength */