Skip to content

Evaluate URL comparison #27

New issue
New issue
Open
Open
Evaluate URL comparison#27
Labels
help wantedExtra attention is neededsecurityImpacts the security of the plugin
Milestone
Merge Proposal
@TimothyBJacobs

Description

@TimothyBJacobs
TimothyBJacobs
opened on May 21, 2020

There are two main places where we compare URLs against each other to ensure they match in someway.

  1. Dynamic Clients. We make sure that the client_uri ( which is what we display in the UI ) is the same host as the redirect_uris and other uris. This currently uses parse_url( PHP_URL_HOST ). Can this be spoofed?

  2. Redirect URIs. We check that the requested redirect_uri is one of the whitelisted redirect_uris. Is this an accurate check?

Metadata

Metadata

Assignees

No one assigned

    Labels

    help wantedExtra attention is neededsecurityImpacts the security of the plugin

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions