OAuth2 security fixes: redirect URI validation, "Mastodon-Local" security breach fix.

(`POST /api/v1/apps` could create "Mastodon-Local" app wth any redirect_uris, and if that happened before /web/login is accessed for the first time then Pleroma used this externally created record with arbitrary redirect_uris and client_secret known by creator).
2019-02-07 22:14:06 +03:00 · 2019-02-07 22:14:06 +03:00 · 2c68cf7e9e
commit 2c68cf7e9e
parent d84392c9e0
2 changed files with 9 additions and 9 deletions
--- a/lib/pleroma/web/oauth/oauth_controller.ex
+++ b/lib/pleroma/web/oauth/oauth_controller.ex
@ -37,6 +37,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
         true <- Pbkdf2.checkpw(password, user.password_hash),
         {:auth_active, true} <- {:auth_active, User.auth_active?(user)},
         %App{} = app <- Repo.get_by(App, client_id: client_id),
+         true <- redirect_uri in String.split(app.redirect_uris),
         {:ok, auth} <- Authorization.create_authorization(app, user) do
      # Special case: Local MastodonFE.
      redirect_uri =