R1:41b9752ba8a3
R1:41b9752ba8a3
Fix an OAuthServer issue where an attacker could make a link function over HTTP when it should be HTTPS-only
Summary:
Two behavioral changes:
- If the redirect URI for an application is "https", require HTTPS always.
- According to my reading of http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1.2 we need to check both names //and values// for parameters. Add value checking. I think this makes more sense in general? No one uses this, soooo...
iiam
Test Plan: This has good coverage…
Summary:
Two behavioral changes:
- If the redirect URI for an application is "https", require HTTPS always.
- According to my reading of http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1.2 we need to check both names //and values// for parameters. Add value checking. I think this makes more sense in general? No one uses this, soooo...
iiam
Test Plan: This has good coverage…
Repository: R1 hydra
Commit Date: Feb 19 2013