Merge branch 'master' into pkce

oauthlib · May 29, 2021 · 51bb0d0 · 51bb0d0
2 parents 03be816 + 78c4b74
commit 51bb0d0
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 27 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -3,6 +3,10 @@ Changelog
 
 3.1.1 (TBD)
 ------------------
+OAuth2.0 Provider - Bugfixes
+
+  * #753: Fix acceptance of valid IPv6 addresses in URI validation
+
 OAuth2.0 Client - Bugfixes
 
   * #730: Base OAuth2 Client now has a consistent way of managing the `scope`: it consistently

diff --git a/oauthlib/oauth2/rfc6749/endpoints/token.py b/oauthlib/oauth2/rfc6749/endpoints/token.py
@@ -36,7 +36,6 @@ class TokenEndpoint(BaseEndpoint):
         https://example.com/path?query=component             # OK
         https://example.com/path?query=component#fragment    # Not OK
 
-    Since requests to the authorization endpoint result in user
     Since requests to the token endpoint result in the transmission of
     clear-text credentials (in the HTTP request and response), the
     authorization server MUST require the use of TLS as described in

diff --git a/oauthlib/uri_validate.py b/oauthlib/uri_validate.py
@@ -65,32 +65,8 @@
 IPv4address = r"%(dec_octet)s \. %(dec_octet)s \. %(dec_octet)s \. %(dec_octet)s" % locals(
 )
 
-#  h16           = 1*4HEXDIG
-h16 = r"(?: %(HEXDIG)s ){1,4}" % locals()
-
-#  ls32          = ( h16 ":" h16 ) / IPv4address
-ls32 = r"(?: (?: %(h16)s : %(h16)s ) | %(IPv4address)s )" % locals()
-
-#   IPv6address   =                            6( h16 ":" ) ls32
-#                 /                       "::" 5( h16 ":" ) ls32
-#                 / [               h16 ] "::" 4( h16 ":" ) ls32
-#                 / [ *1( h16 ":" ) h16 ] "::" 3( h16 ":" ) ls32
-#                 / [ *2( h16 ":" ) h16 ] "::" 2( h16 ":" ) ls32
-#                 / [ *3( h16 ":" ) h16 ] "::"    h16 ":"   ls32
-#                 / [ *4( h16 ":" ) h16 ] "::"              ls32
-#                 / [ *5( h16 ":" ) h16 ] "::"              h16
-#                 / [ *6( h16 ":" ) h16 ] "::"
-IPv6address = r"""(?:                                  (?: %(h16)s : ){6} %(ls32)s |
-                                                    :: (?: %(h16)s : ){5} %(ls32)s |
-                                            %(h16)s :: (?: %(h16)s : ){4} %(ls32)s |
-                         (?: %(h16)s : )    %(h16)s :: (?: %(h16)s : ){3} %(ls32)s |
-                         (?: %(h16)s : ){2} %(h16)s :: (?: %(h16)s : ){2} %(ls32)s |
-                         (?: %(h16)s : ){3} %(h16)s ::     %(h16)s :      %(ls32)s |
-                         (?: %(h16)s : ){4} %(h16)s ::                    %(ls32)s |
-                         (?: %(h16)s : ){5} %(h16)s ::                    %(h16)s  |
-                         (?: %(h16)s : ){6} %(h16)s ::
-                  )
-""" % locals()
+#   IPv6address
+IPv6address = r"([A-Fa-f0-9:]+:+)+[A-Fa-f0-9]+"
 
 #   IPvFuture     = "v" 1*HEXDIG "." 1*( unreserved / sub-delims / ":" )
 IPvFuture = r"v %(HEXDIG)s+ \. (?: %(unreserved)s | %(sub_delims)s | : )+" % locals()

diff --git a/tests/test_uri_validate.py b/tests/test_uri_validate.py
@@ -0,0 +1,33 @@
+import oauthlib
+from oauthlib.uri_validate import is_absolute_uri
+
+from tests.unittest import TestCase
+
+
+class UriValidateTest(TestCase):
+
+    def test_is_absolute_uri(self):
+
+        self.assertIsNotNone(is_absolute_uri('schema://example.com/path'))
+        self.assertIsNotNone(is_absolute_uri('https://example.com/path'))
+        self.assertIsNotNone(is_absolute_uri('https://example.com'))
+        self.assertIsNotNone(is_absolute_uri('https://example.com:443/path'))
+        self.assertIsNotNone(is_absolute_uri('https://example.com:443/'))
+        self.assertIsNotNone(is_absolute_uri('https://example.com:443'))
+        self.assertIsNotNone(is_absolute_uri('http://example.com'))
+        self.assertIsNotNone(is_absolute_uri('http://example.com/path'))
+        self.assertIsNotNone(is_absolute_uri('http://example.com:80/path'))
+        self.assertIsNotNone(is_absolute_uri('com.example.bundle.id:/'))
+        self.assertIsNotNone(is_absolute_uri('http://[::1]:38432/path'))
+        self.assertIsNotNone(is_absolute_uri('http://[::1]/path'))
+        self.assertIsNotNone(is_absolute_uri('http://[fd01:0001::1]/path'))
+        self.assertIsNotNone(is_absolute_uri('http://[fd01:1::1]/path'))
+        self.assertIsNotNone(is_absolute_uri('http://[0123:4567:89ab:cdef:0123:4567:89ab:cdef]/path'))
+        self.assertIsNotNone(is_absolute_uri('http://127.0.0.1:38432/'))
+        self.assertIsNotNone(is_absolute_uri('http://127.0.0.1:38432/'))
+        self.assertIsNotNone(is_absolute_uri('http://127.1:38432/'))
+
+        self.assertIsNone(is_absolute_uri('http://example.com:notaport/path'))
+        self.assertIsNone(is_absolute_uri('wrong'))
+        self.assertIsNone(is_absolute_uri('http://[:1]:38432/path'))
+        self.assertIsNone(is_absolute_uri('http://[abcd:efgh::1]/'))