tdsds.com/gitea
1
1
Fork 0
mirror of https://github.com/go-gitea/gitea synced 2025-07-09 12:07:20 +00:00
Code Releases Activity

Ignore port for loopback redirect URIs (#21293)

Browse Source 
Following https://datatracker.ietf.org/doc/html/rfc8252#section-7.3

Fixes #21285
This commit is contained in:
M Hickford
2022-09-28 23:19:55 +01:00
committed by GitHub
parent 0e83ab8df7
commit 6a45a691c1
2 changed files with 33 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
models/auth/oauth2.go
View File

@ -10,6 +10,7 @@ import (
"encoding/base32"
"encoding/base64"
"fmt"
"net"
"net/url"
"strings"
@ -56,6 +57,18 @@ func (app *OAuth2Application) PrimaryRedirectURI() string {
// ContainsRedirectURI checks if redirectURI is allowed for app
func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool {
uri, err := url.Parse(redirectURI)
// ignore port for http loopback uris following https://datatracker.ietf.org/doc/html/rfc8252#section-7.3
if err == nil && uri.Scheme == "http" && uri.Port() != "" {
ip := net.ParseIP(uri.Hostname())
if ip != nil && ip.IsLoopback() {
// strip port
uri.Host = uri.Hostname()
if util.IsStringInSlice(uri.String(), app.RedirectURIs, true) {
return true
}
}
}
return util.IsStringInSlice(redirectURI, app.RedirectURIs, true)
}