loading up the forgejo repo on tangled to test page performance
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Ignore the trailing slashes when comparing oauth2 redirect_uri (#26597)

Fix #26526

authored by

wxiaoguang and committed by
GitHub
3be80a86 3db3f5da

+23 -2
+11 -2
models/auth/oauth2.go
··· 132 132 133 133 // ContainsRedirectURI checks if redirectURI is allowed for app 134 134 func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool { 135 + contains := func(s string) bool { 136 + s = strings.TrimSuffix(strings.ToLower(s), "/") 137 + for _, u := range app.RedirectURIs { 138 + if strings.TrimSuffix(strings.ToLower(u), "/") == s { 139 + return true 140 + } 141 + } 142 + return false 143 + } 135 144 if !app.ConfidentialClient { 136 145 uri, err := url.Parse(redirectURI) 137 146 // ignore port for http loopback uris following https://datatracker.ietf.org/doc/html/rfc8252#section-7.3 ··· 140 149 if ip != nil && ip.IsLoopback() { 141 150 // strip port 142 151 uri.Host = uri.Hostname() 143 - if util.SliceContainsString(app.RedirectURIs, uri.String(), true) { 152 + if contains(uri.String()) { 144 153 return true 145 154 } 146 155 } 147 156 } 148 157 } 149 - return util.SliceContainsString(app.RedirectURIs, redirectURI, true) 158 + return contains(redirectURI) 150 159 } 151 160 152 161 // Base32 characters, but lowercased.
+12
models/auth/oauth2_test.go
··· 63 63 assert.False(t, app.ContainsRedirectURI(":")) 64 64 } 65 65 66 + func TestOAuth2Application_ContainsRedirect_Slash(t *testing.T) { 67 + app := &auth_model.OAuth2Application{RedirectURIs: []string{"http://127.0.0.1"}} 68 + assert.True(t, app.ContainsRedirectURI("http://127.0.0.1")) 69 + assert.True(t, app.ContainsRedirectURI("http://127.0.0.1/")) 70 + assert.False(t, app.ContainsRedirectURI("http://127.0.0.1/other")) 71 + 72 + app = &auth_model.OAuth2Application{RedirectURIs: []string{"http://127.0.0.1/"}} 73 + assert.True(t, app.ContainsRedirectURI("http://127.0.0.1")) 74 + assert.True(t, app.ContainsRedirectURI("http://127.0.0.1/")) 75 + assert.False(t, app.ContainsRedirectURI("http://127.0.0.1/other")) 76 + } 77 + 66 78 func TestOAuth2Application_ValidateClientSecret(t *testing.T) { 67 79 assert.NoError(t, unittest.PrepareTestDatabase()) 68 80 app := unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Application{ID: 1})