tdsds.com/gitea
1
1
Fork 0
mirror of https://github.com/go-gitea/gitea synced 2025-07-22 10:18:38 +00:00
Code Releases Activity

Ignore the trailing slashes when comparing oauth2 redirect_uri (#26597)

Browse Source 
Fix #26526
This commit is contained in:
wxiaoguang
2023-08-21 12:15:55 +08:00
committed by GitHub
parent 3db3f5daae
commit 3be80a863b
2 changed files with 23 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
models/auth/oauth2.go
View File

@@ -132,6 +132,15 @@ func (app *OAuth2Application) TableName() string {
// ContainsRedirectURI checks if redirectURI is allowed for app
func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool {
contains := func(s string) bool {
s = strings.TrimSuffix(strings.ToLower(s), "/")
for _, u := range app.RedirectURIs {
if strings.TrimSuffix(strings.ToLower(u), "/") == s {
return true
}
}
return false
}
if !app.ConfidentialClient {
uri, err := url.Parse(redirectURI)
// ignore port for http loopback uris following https://datatracker.ietf.org/doc/html/rfc8252#section-7.3
@@ -140,13 +149,13 @@ func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool {
if ip != nil && ip.IsLoopback() {
// strip port
uri.Host = uri.Hostname()
if util.SliceContainsString(app.RedirectURIs, uri.String(), true) {
if contains(uri.String()) {
return true
}
}
}
}
return util.SliceContainsString(app.RedirectURIs, redirectURI, true)
return contains(redirectURI)
}
// Base32 characters, but lowercased.