diff options
| author | Ivan Tashkinov <ivantashkinov@gmail.com> | 2019-02-07 22:14:06 +0300 |
|---|---|---|
| committer | Ivan Tashkinov <ivantashkinov@gmail.com> | 2019-02-07 22:14:06 +0300 |
| commit | 2c68cf7e9ee6718f83f2209e6b009b02b50bc8f4 (patch) | |
| tree | 69d0992f5f10364a993989b6cc16a618b931c6d7 /lib/pleroma/web/oauth/oauth_controller.ex | |
| parent | d84392c9e05342a70d3a759ac380dcd41f22ed0e (diff) | |
| download | pleroma-2c68cf7e9ee6718f83f2209e6b009b02b50bc8f4.tar.gz | |
OAuth2 security fixes: redirect URI validation, "Mastodon-Local" security breach fix.
(`POST /api/v1/apps` could create "Mastodon-Local" app wth any redirect_uris,
and if that happened before /web/login is accessed for the first time
then Pleroma used this externally created record with arbitrary
redirect_uris and client_secret known by creator).
Diffstat (limited to 'lib/pleroma/web/oauth/oauth_controller.ex')
| -rw-r--r-- | lib/pleroma/web/oauth/oauth_controller.ex | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/pleroma/web/oauth/oauth_controller.ex b/lib/pleroma/web/oauth/oauth_controller.ex index 4d4e85836..8ec963c79 100644 --- a/lib/pleroma/web/oauth/oauth_controller.ex +++ b/lib/pleroma/web/oauth/oauth_controller.ex @@ -37,6 +37,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do true <- Pbkdf2.checkpw(password, user.password_hash), {:auth_active, true} <- {:auth_active, User.auth_active?(user)}, %App{} = app <- Repo.get_by(App, client_id: client_id), + true <- redirect_uri in String.split(app.redirect_uris), {:ok, auth} <- Authorization.create_authorization(app, user) do # Special case: Local MastodonFE. redirect_uri = |