Fix an OAuthServer issue where an attacker could make a link function over HTTP…
41b9752ba8a3
Actions

Authored by epriestley <git@epriestley.com> on Feb 20 2013, 01:09.

Description

Fix an OAuthServer issue where an attacker could make a link function over HTTP when it should be HTTPS-only

Summary:
Two behavioral changes:

If the redirect URI for an application is "https", require HTTPS always.
According to my reading of http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1.2 we need to check both names and values for parameters. Add value checking. I think this makes more sense in general? No one uses this, soooo...

iiam

Test Plan: This has good coverage already; added some tests for the new cases.

Reviewers: vrana

Reviewed By: vrana

CC: cbg, aran, btrahan

Committed

epriestley <git@epriestley.com>

Feb 20 2013, 01:09

Pushed

aubort

Jan 31 2017, 17:16

Parents

rPH2191e99b49a2: Delete unused variable

Branches

Unknown

Tags

Unknown

				Path
	M			src/applications/oauthserver/PhabricatorOAuthServer.php
	M			src/applications/oauthserver/__tests__/PhabricatorOAuthServerTestCase.php