Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Don't redirect to arbitrary URLs when a bad redirect_uri is given. In…

…stead, just die with an error message. Prevents the Oauth server from being used as an open redirect.
  • Loading branch information...
commit 07d0b2bf80078e8ce1accba88696c22dbf244d7a 1 parent f6364d4
@cheald authored
Showing with 5 additions and 2 deletions.
  1. +5 −2 lib/rack/oauth2/server.rb
View
7 lib/rack/oauth2/server.rb
@@ -296,9 +296,12 @@ def request_authorization(request, logger)
uri.query = Rack::Utils.build_query request.GET.merge(:authorization => auth_request.id.to_s)
return redirect_to(uri, 303)
end
- rescue OAuthError=>error
+ rescue RedirectUriMismatchError => error
+ logger.error "RO2S: Authorization request error #{error.code}: #{error.message}" if logger
+ return bad_request("Error: %s" % error.message)
+ rescue OAuthError => error
logger.error "RO2S: Authorization request error #{error.code}: #{error.message}" if logger
- params = { :error=>error.code, :error_description=>error.message, :state=>state }
+ params = { :error => error.code, :error_description => error.message, :state => state }
if response_type == "token"
redirect_uri.fragment = Rack::Utils.build_query(params)
else # response type is code, or invalid
Please sign in to comment.
Something went wrong with that request. Please try again.