1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-28 09:42:41 +01:00
phorge-phorge/src/applications/oauthserver/__tests__
epriestley 41b9752ba8 Fix an OAuthServer issue where an attacker could make a link function over HTTP when it should be HTTPS-only
Summary:
Two behavioral changes:

  - If the redirect URI for an application is "https", require HTTPS always.
  - According to my reading of http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1.2 we need to check both names //and values// for parameters. Add value checking. I think this makes more sense in general? No one uses this, soooo...

iiam

Test Plan: This has good coverage already; added some tests for the new cases.

Reviewers: vrana

Reviewed By: vrana

CC: cbg, aran, btrahan

Differential Revision: https://secure.phabricator.com/D5022
2013-02-19 16:09:36 -08:00
..
PhabricatorOAuthServerTestCase.php Fix an OAuthServer issue where an attacker could make a link function over HTTP when it should be HTTPS-only 2013-02-19 16:09:36 -08:00