Projet

Général

Profil

0001-idp_oidc-validate-redirect-uri-query-and-fragment-44.patch

Paul Marillonnet, 10 septembre 2020 15:42

Télécharger (2,67 ko)

Voir les différences: 

Subject: [PATCH] idp_oidc: validate redirect uri query and fragment (#44593)


 src/authentic2_idp_oidc/models.py |  9 +++++++++
 tests/test_idp_oidc.py            | 12 ++++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)
src/authentic2_idp_oidc/models.py
216 216 
            else:
217 217 
                if parsed_uri.path.rstrip('/') != parsed_valid_uri.path.rstrip('/'):
218 218 
                    continue
219 
            if parsed_uri.query and (
220 
                    parsed_valid_uri.query != parsed_uri.query and
221 
                    parsed_valid_uri.query != '*'):
222 
                # xxx parameter validation
223 
                continue
224 
            if parsed_uri.fragment and (
225 
                    parsed_valid_uri.fragment != parsed_uri.fragment and
226 
                    parsed_valid_uri.fragment != '*'):
227 
                continue
219 228 
            return
220 229 
        raise ValueError('redirect_uri is not declared')
221 230 

  		












  

    
      tests/test_idp_oidc.py
    
  





  1251
  1251
  
    
http://example3.com/toto

  		




  1252
  1252
  
    
http://*example4.com/

  		




  1253
  1253
  
    
http://example5.com/toto*

  		




  
  1254
  
    
http://example6.com/#*

  		




  
  1255
  
    
http://example7.com/?*

  		




  
  1256
  
    
http://example8.com/?*#*

  		




  1254
  1257
  
    
''')

  		




  1255
  1258
  
    
    # ok

  		




  1256
  1259
  
    
    for uri in [

  		




  ......




  1267
  1270
  
    
            'http://example5.com/toto',

  		




  1268
  1271
  
    
            'http://example5.com/toto/',

  		




  1269
  1272
  
    
            'http://example5.com/toto/tata',

  		




  1270
  
  
    
            'http://example5.com/toto/tata/']:

  		




  
  1273
  
    
            'http://example5.com/toto/tata/',

  		




  
  1274
  
    
            'http://example6.com/#some-fragment',

  		




  
  1275
  
    
            'http://example7.com/?foo=bar',

  		




  
  1276
  
    
            'http://example8.com/?foo=bar#some-fragment']:

  		




  1271
  1277
  
    
        client.validate_redirect_uri(uri)

  		




  1272
  1278
  
    
    # nok

  		




  1273
  1279
  
    
    for uri in [

  		




  ......




  1279
  1285
  
    
            'http://coinexample4.com',

  		




  1280
  1286
  
    
            'http://coinexample4.com/',

  		




  1281
  1287
  
    
            'http://example5.com/tototata/',

  		




  1282
  
  
    
            'http://example5.com/tototata']:

  		




  
  1288
  
    
            'http://example5.com/tototata',

  		




  
  1289
  
    
            'http://example6.com/?foo=bar',

  		




  
  1290
  
    
            'http://example7.com/#some-fragment']:

  		




  1283
  1291
  
    
        with pytest.raises(ValueError, match=r'is not declared'):

  		




  1284
  1292
  
    
            client.validate_redirect_uri(uri)

  		




  1285
  1293
  
    
    client.validate_redirect_uri('http://example5.com/toto/' + 'a' * 500)

  		




  1286
  
  
    
-