Merge pull request #120 from marekm4/fix-domain-check

GuilhemN · web-flow · commit 606b8ea1c3c9 · 2020-03-03T23:14:46.000+01:00
[Security] Add exact check for domain and port
diff --git a/lib/OAuth2.php b/lib/OAuth2.php
@@ -1433,7 +1433,8 @@ protected function validateRedirectUri($inputUri, $storedUris)
 
         foreach ($storedUris as $storedUri) {
             if (strcasecmp(substr($inputUri, 0, strlen($storedUri)), $storedUri) === 0) {
-                return true;
+                return parse_url($inputUri, PHP_URL_HOST) === parse_url($storedUri, PHP_URL_HOST) &&
+                    parse_url($inputUri, PHP_URL_PORT) === parse_url($storedUri, PHP_URL_PORT);
             }
         }
 
diff --git a/tests/OAuth2Test.php b/tests/OAuth2Test.php
@@ -892,6 +892,50 @@ public function testFinishClientAuthorizationThrowsErrorIfNoMatchingUri()
         }
     }
 
+    public function testFinishClientAuthorizationThrowsErrorIfNoMatchingDomain()
+    {
+        $stub = new OAuth2GrantCodeStub;
+        $stub->addClient(new OAuth2Client('blah', 'foo', array('http://a.example.com')));
+        $oauth2 = new OAuth2($stub);
+
+        $data = new \stdClass;
+
+        try {
+            $oauth2->finishClientAuthorization(true, $data, new Request(array(
+                'client_id' => 'blah',
+                'response_type' => 'code',
+                'state' => '42',
+                'redirect_uri' => 'http://a.example.com.test.com/',
+            )));
+            $this->fail('The expected exception OAuth2ServerException was not thrown');
+        } catch (OAuth2ServerException $e) {
+            $this->assertSame('redirect_uri_mismatch', $e->getMessage());
+            $this->assertSame('The redirect URI provided does not match registered URI(s).', $e->getDescription());
+        }
+    }
+
+    public function testFinishClientAuthorizationThrowsErrorIfNoMatchingPort()
+    {
+        $stub = new OAuth2GrantCodeStub;
+        $stub->addClient(new OAuth2Client('blah', 'foo', array('http://a.example.com:80')));
+        $oauth2 = new OAuth2($stub);
+
+        $data = new \stdClass;
+
+        try {
+            $oauth2->finishClientAuthorization(true, $data, new Request(array(
+                'client_id' => 'blah',
+                'response_type' => 'code',
+                'state' => '42',
+                'redirect_uri' => 'http://a.example.com:8080/',
+            )));
+            $this->fail('The expected exception OAuth2ServerException was not thrown');
+        } catch (OAuth2ServerException $e) {
+            $this->assertSame('redirect_uri_mismatch', $e->getMessage());
+            $this->assertSame('The redirect URI provided does not match registered URI(s).', $e->getDescription());
+        }
+    }
+
     public function testFinishClientAuthorizationThrowsErrorIfRedirectUriAttemptsPathTraversal()
     {
         $stub = new OAuth2GrantCodeStub;

Original file line number	Diff line number	Diff line change
`@@ -1433,7 +1433,8 @@ protected function validateRedirectUri($inputUri, $storedUris)`
`1433`	`1433`
`1434`	`1434`	`foreach ($storedUris as $storedUri) {`
`1435`	`1435`	`if (strcasecmp(substr($inputUri, 0, strlen($storedUri)), $storedUri) === 0) {`
`1436`		`- return true;`
	`1436`	`+ return parse_url($inputUri, PHP_URL_HOST) === parse_url($storedUri, PHP_URL_HOST) &&`
	`1437`	`+ parse_url($inputUri, PHP_URL_PORT) === parse_url($storedUri, PHP_URL_PORT);`
`1437`	`1438`	`}`
`1438`	`1439`	`}`
`1439`	`1440`