Fixing redirect_uri parsing and validation logic for double escaping

ory · Sep 25, 2020 · 94ab1a2 · 94ab1a2
1 parent 4ef10b4
commit 94ab1a2
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 7 deletions.
diff --git a/authorize_helper.go b/authorize_helper.go
@@ -41,16 +41,14 @@ import (
 func GetRedirectURIFromRequestValues(values url.Values) (string, error) {
 	// rfc6749 3.1.   Authorization Endpoint
 	// The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per Appendix B) query component
-	redirectURI, err := url.Parse(values.Get("redirect_uri"))
+	rawRedirectURI := values.Get("redirect_uri")
+	redirectURI, err := url.Parse(rawRedirectURI)
 	if err != nil {
 		return "", errors.WithStack(ErrInvalidRequest.WithHint(`The "redirect_uri" parameter is malformed or missing.`).WithCause(err).WithDebug(err.Error()))
+	} else if rawRedirectURI != "" && (redirectURI.Scheme == "" || redirectURI.Host == "") {
+		return "", errors.WithStack(ErrInvalidRequest.WithHint(`The "redirect_uri" parameter with malformed http scheme or host.`))
 	}
-	rawQuery, err := url.QueryUnescape(redirectURI.RawQuery)
 
-	if err != nil {
-		return "", errors.WithStack(ErrInvalidRequest.WithHint(`The "redirect_uri" parameter is malformed`).WithDebug(err.Error()))
-	}
-	redirectURI.RawQuery = rawQuery
 	return redirectURI.String(), nil
 }
 

diff --git a/authorize_helper_test.go b/authorize_helper_test.go
@@ -61,7 +61,7 @@ func TestGetRedirectURI(t *testing.T) {
 	}{
 		{in: "", isError: false, expected: ""},
 		{in: "https://google.com/", isError: false, expected: "https://google.com/"},
-		{in: "https://google.com/?foo=bar%20foo+baz", isError: false, expected: "https://google.com/?foo=bar foo baz"},
+		{in: "https//google.com/foo=bar foo baz", isError: true, expected: "https://google.com/?foo=bar foo baz"},
 	} {
 		values := url.Values{}
 		values.Set("redirect_uri", c.in)