OAuthServer - harden things up a bit

Summary: This is the hardening work mentioned in T887#86529. Also take a documentation pass for accuracy about these changes and formatting. Ref T4593. Test Plan: unit tests...! generated diviner docs and oauthserver doc looked good Reviewers: epriestley Reviewed By: epriestley Subscribers: Korvin, epriestley Maniphest Tasks: T4593 Differential Revision: https://secure.phabricator.com/D11298
2025-01-02 02:40:58 +01:00 · 2015-01-09 11:04:18 -08:00 · 2015-01-09 11:04:18 -08:00 · 152072fc97
commit 152072fc97
parent 7a6f4ab75a
3 changed files with 45 additions and 35 deletions
--- a/src/applications/oauthserver/PhabricatorOAuthServer.php
+++ b/src/applications/oauthserver/PhabricatorOAuthServer.php
@ -215,8 +215,8 @@ final class PhabricatorOAuthServer {

  /**
   * If there's a URI specified in an OAuth request, it must be validated in
-   * its own right. Further, it must have the same domain and (at least) the
-   * same query parameters as the primary URI.
+   * its own right. Further, it must have the same domain, the same path, the
+   * same port, and (at least) the same query parameters as the primary URI.
   */
  public function validateSecondaryRedirectURI(
    PhutilURI $secondary_uri,
@ -232,6 +232,16 @@ final class PhabricatorOAuthServer {
      return false;
    }

+    // Both URIs must have the same path
+    if ($secondary_uri->getPath() != $primary_uri->getPath()) {
+      return false;
+    }
+
+    // Both URIs must have the same port
+    if ($secondary_uri->getPort() != $primary_uri->getPort()) {
+      return false;
+    }
+
    // Any query parameters present in the first URI must be exactly present
    // in the second URI.
    $need_params = $primary_uri->getQueryParams();
--- a/src/applications/oauthserver/tests/PhabricatorOAuthServerTestCase.php
+++ b/src/applications/oauthserver/tests/PhabricatorOAuthServerTestCase.php
@ -24,11 +24,11 @@ final class PhabricatorOAuthServerTestCase

  public function testValidateSecondaryRedirectURI() {
    $server      = new PhabricatorOAuthServer();
-    $primary_uri = new PhutilURI('http://www.google.com');
+    $primary_uri = new PhutilURI('http://www.google.com/');
    static $test_domain_map = array(
-      'http://www.google.com'               => true,
+      'http://www.google.com'               => false,
      'http://www.google.com/'              => true,
-      'http://www.google.com/auth'          => true,
+      'http://www.google.com/auth'          => false,
      'http://www.google.com/?auth'         => true,
      'www.google.com'                      => false,
      'http://www.google.com/auth#invalid'  => false,
@ -76,12 +76,12 @@ final class PhabricatorOAuthServerTestCase

    $primary_uri = new PhutilURI('http://example.com/?z=2&y=3');
    $tests = array(
-      'http://example.com?z=2&y=3'      => true,
-      'http://example.com?y=3&z=2'      => true,
-      'http://example.com?y=3&z=2&x=1'  => true,
-      'http://example.com?y=2&z=3'      => false,
-      'http://example.com?y&x'          => false,
-      'http://example.com?z=2&x=3'      => false,
+      'http://example.com/?z=2&y=3'      => true,
+      'http://example.com/?y=3&z=2'      => true,
+      'http://example.com/?y=3&z=2&x=1'  => true,
+      'http://example.com/?y=2&z=3'      => false,
+      'http://example.com/?y&x'          => false,
+      'http://example.com/?z=2&x=3'      => false,
    );
    foreach ($tests as $input => $expected) {
      $uri = new PhutilURI($input);
--- a/src/docs/contributor/using_oauthserver.diviner
+++ b/src/docs/contributor/using_oauthserver.diviner
@ -18,9 +18,9 @@ clients that implement OAuth 2.0.

 = Vocabulary =

- **Access token** - a token which allows a client to ask for data on
-behalf of a resource owner. A given client will only be able to access
-data included in the scope(s) the resource owner authorized that client for.
+- **Access token** - a token which allows a client to ask for data on behalf
+ of a resource owner. A given client will only be able to access data included
+ in the scope(s) the resource owner authorized that client for.
 - **Authorization code** - a short-lived code which allows an authenticated
 client to ask for an access token on behalf of some resource owner.
 - **Client** - this is the application or system asking for data from the
@ -48,9 +48,9 @@ following parameters:
 - Required - **response_type** - the desired type of authorization code
 response. Only code is supported at this time.
 - Optional - **redirect_uri** - override the redirect_uri the client
-registered. This redirect_uri must have the same fully-qualified domain
-and have at least the same query parameters as the redirect_uri the client
-registered, as well as have no fragments.
+ registered. This redirect_uri must have the same fully-qualified domain,
+ path, port and have at least the same query parameters as the redirect_uri
+ the client registered, as well as have no fragments.
 - Optional - **scope** - specify what scope(s) the client needs access to
 in a space-delimited list.
 - Optional - **state** - an opaque value the client can send to the server