Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: cheald/rack-oauth2-server
base: a582b30e8d
...
head fork: cheald/rack-oauth2-server
compare: 07d0b2bf80
  • 2 commits
  • 2 files changed
  • 0 commit comments
  • 1 contributor
Commits on Feb 08, 2012
@cheald Use Rack::Utils since it's already there f6364d4
@cheald Don't redirect to arbitrary URLs when a bad redirect_uri is given. In…
…stead, just die with an error message. Prevents the Oauth server from being used as an open redirect.
07d0b2b
Showing with 6 additions and 7 deletions.
  1. +6 −3 lib/rack/oauth2/server.rb
  2. +0 −4 lib/rack/oauth2/server/utils.rb
View
9 lib/rack/oauth2/server.rb
@@ -293,12 +293,15 @@ def request_authorization(request, logger)
# handle the rest.
auth_request = AuthRequest.create(client, requested_scope, redirect_uri.to_s, response_type, state)
uri = URI.parse(request.url)
- uri.query = Utils.hash_to_query request.GET.merge(:authorization => auth_request.id.to_s)
+ uri.query = Rack::Utils.build_query request.GET.merge(:authorization => auth_request.id.to_s)
return redirect_to(uri, 303)
end
- rescue OAuthError=>error
+ rescue RedirectUriMismatchError => error
+ logger.error "RO2S: Authorization request error #{error.code}: #{error.message}" if logger
+ return bad_request("Error: %s" % error.message)
+ rescue OAuthError => error
logger.error "RO2S: Authorization request error #{error.code}: #{error.message}" if logger
- params = { :error=>error.code, :error_description=>error.message, :state=>state }
+ params = { :error => error.code, :error_description => error.message, :state => state }
if response_type == "token"
redirect_uri.fragment = Rack::Utils.build_query(params)
else # response type is code, or invalid
View
4 lib/rack/oauth2/server/utils.rb
@@ -20,10 +20,6 @@ def parse_redirect_uri(redirect_uri)
def normalize_scope(scope)
(Array === scope ? scope.join(" ") : scope || "").split(/\s+/).compact.uniq.sort
end
-
- def hash_to_query(hsh)
- hsh.map {|k,v| "%s=%s" % [Rack::Utils.escape(k), Rack::Utils.escape(v)] }.join("&")
- end
end
end
end

No commit comments for this range

Something went wrong with that request. Please try again.