Skip to content

Commit

Permalink
Enforce open redirection fix
Browse files Browse the repository at this point in the history
  • Loading branch information
babelouest committed Jan 26, 2024
1 parent 5923938 commit c91c015
Showing 1 changed file with 3 additions and 13 deletions.
16 changes: 3 additions & 13 deletions src/plugin/protocol_oidc.c
Original file line number Diff line number Diff line change
Expand Up @@ -3803,8 +3803,6 @@ static int check_client_redirect_uri_valid(struct _oidc_config * config,
} else {
uri_found = 0;
}
} else {
uri_found = 1;
}
if (!uri_found) {
y_log_message(Y_LOG_LEVEL_DEBUG, "check_client_redirect_uri_valid - oidc - Error, redirect_uri '%s' is invalid for the client '%s', origin: %s", redirect_uri, client_id, ip_source);
Expand Down Expand Up @@ -3834,14 +3832,11 @@ static json_t * check_client_valid_without_secret(struct _oidc_config * config,
j_client = config->glewlwyd_config->glewlwyd_plugin_callback_get_client(config->glewlwyd_config, client_id);
if (check_result_value(j_client, G_OK) && json_object_get(json_object_get(j_client, "client"), "enabled") == json_true()) {
if (redirect_uri != NULL) {
uri_found = 0;
json_array_foreach(json_object_get(json_object_get(j_client, "client"), "redirect_uri"), index, j_element) {
if (0 == o_strcmp(json_string_value(j_element), redirect_uri)) {
uri_found = 1;
}
}
} else {
uri_found = 1;
}

authorization_type_enabled = 1;
Expand Down Expand Up @@ -4003,8 +3998,6 @@ static json_t * check_client_valid(struct _oidc_config * config,
} else {
if (redirect_uri != NULL) {
uri_found = json_array_has_string(json_object_get(json_object_get(j_client, "client"), "redirect_uri"), redirect_uri);
} else {
uri_found = 1;
}

authorization_type_enabled = 1;
Expand Down Expand Up @@ -14165,7 +14158,7 @@ static int callback_oidc_authorization(const struct _u_request * request, struct
}
}

if (!o_strnullempty(client_id) && !o_strnullempty(redirect_uri) && check_client_redirect_uri_valid(config, client_id, redirect_uri, ip_source) != G_OK) {
if (!o_strnullempty(response_type) && check_client_redirect_uri_valid(config, client_id, redirect_uri, ip_source) != G_OK) {
y_log_message(Y_LOG_LEVEL_DEBUG, "callback_oidc_authorization - invlid client identified with redirect_uri");
response->status = 403;
break;
Expand Down Expand Up @@ -14274,7 +14267,7 @@ static int callback_oidc_authorization(const struct _u_request * request, struct
login_hint = json_string_value(json_object_get(json_object_get(j_request, "request"), "login_hint"));
prompt = json_string_value(json_object_get(json_object_get(j_request, "request"), "prompt"));
max_age = json_string_value(json_object_get(json_object_get(j_request, "request"), "max_age"));
if (!o_strnullempty(client_id) && !o_strnullempty(redirect_uri) && check_client_redirect_uri_valid(config, client_id, redirect_uri, ip_source) != G_OK) {
if (check_client_redirect_uri_valid(config, client_id, redirect_uri, ip_source) != G_OK) {
y_log_message(Y_LOG_LEVEL_DEBUG, "callback_oidc_authorization - invlid client identified with redirect_uri");
response->status = 403;
break;
Expand Down Expand Up @@ -14523,10 +14516,7 @@ static int callback_oidc_authorization(const struct _u_request * request, struct

// Check if at least one scope has been provided
if (o_strnullempty(scope)) {
// Scope is not allowed for this user
y_log_message(Y_LOG_LEVEL_DEBUG, "oidc validate_endpoint_auth - scope list is missing or empty or scope 'openid' missing, origin: %s", ip_source);
u_map_put(&map_redirect, "error", "invalid_scope");
build_auth_response(config, response, response_mode, json_object_get(j_client, "client"), redirect_uri, &map_redirect);
response->status = 403;
break;
}

Expand Down

0 comments on commit c91c015

Please sign in to comment.