Merge pull request #120 from marekm4/fix-domain-check

[Security] Add exact check for domain and port
FriendsOfSymfony · Mar 3, 2020 · 606b8ea · 606b8ea
2 parents 31b81cb + b7ff4ea
commit 606b8ea
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 1 deletion.
diff --git a/lib/OAuth2.php b/lib/OAuth2.php
@@ -1433,7 +1433,8 @@ protected function validateRedirectUri($inputUri, $storedUris)
 
         foreach ($storedUris as $storedUri) {
             if (strcasecmp(substr($inputUri, 0, strlen($storedUri)), $storedUri) === 0) {
-                return true;
+                return parse_url($inputUri, PHP_URL_HOST) === parse_url($storedUri, PHP_URL_HOST) &&
+                    parse_url($inputUri, PHP_URL_PORT) === parse_url($storedUri, PHP_URL_PORT);
             }
         }
 

diff --git a/tests/OAuth2Test.php b/tests/OAuth2Test.php
@@ -892,6 +892,50 @@ public function testFinishClientAuthorizationThrowsErrorIfNoMatchingUri()
         }
     }
 
+    public function testFinishClientAuthorizationThrowsErrorIfNoMatchingDomain()
+    {
+        $stub = new OAuth2GrantCodeStub;
+        $stub->addClient(new OAuth2Client('blah', 'foo', array('http://a.example.com')));
+        $oauth2 = new OAuth2($stub);
+
+        $data = new \stdClass;
+
+        try {
+            $oauth2->finishClientAuthorization(true, $data, new Request(array(
+                'client_id' => 'blah',
+                'response_type' => 'code',
+                'state' => '42',
+                'redirect_uri' => 'http://a.example.com.test.com/',
+            )));
+            $this->fail('The expected exception OAuth2ServerException was not thrown');
+        } catch (OAuth2ServerException $e) {
+            $this->assertSame('redirect_uri_mismatch', $e->getMessage());
+            $this->assertSame('The redirect URI provided does not match registered URI(s).', $e->getDescription());
+        }
+    }
+
+    public function testFinishClientAuthorizationThrowsErrorIfNoMatchingPort()
+    {
+        $stub = new OAuth2GrantCodeStub;
+        $stub->addClient(new OAuth2Client('blah', 'foo', array('http://a.example.com:80')));
+        $oauth2 = new OAuth2($stub);
+
+        $data = new \stdClass;
+
+        try {
+            $oauth2->finishClientAuthorization(true, $data, new Request(array(
+                'client_id' => 'blah',
+                'response_type' => 'code',
+                'state' => '42',
+                'redirect_uri' => 'http://a.example.com:8080/',
+            )));
+            $this->fail('The expected exception OAuth2ServerException was not thrown');
+        } catch (OAuth2ServerException $e) {
+            $this->assertSame('redirect_uri_mismatch', $e->getMessage());
+            $this->assertSame('The redirect URI provided does not match registered URI(s).', $e->getDescription());
+        }
+    }
+
     public function testFinishClientAuthorizationThrowsErrorIfRedirectUriAttemptsPathTraversal()
     {
         $stub = new OAuth2GrantCodeStub;