Fix an OAuthServer issue where an attacker could make a link function over HTTP…
41b9752ba8a3
Actions

Description

Fix an OAuthServer issue where an attacker could make a link function over HTTP when it should be HTTPS-only

Summary:
Two behavioral changes:

If the redirect URI for an application is "https", require HTTPS always.
According to my reading of http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1.2 we need to check both names and values for parameters. Add value checking. I think this makes more sense in general? No one uses this, soooo...

iiam

Test Plan: This has good coverage already; added some tests for the new cases.

Reviewers: vrana

Reviewed By: vrana

CC: cbg, aran, btrahan

Provenance

epriestley	Authored on Feb 19 2013, 4:09 PM
themackabu	Pushed on Mar 25 2025, 8:07 PM

Parents

rP2191e99b49a2: Delete unused variable

Branches

Unknown

Tags

Unknown

Path

Size

src/

applications/

oauthserver/

__tests__/