Skip to content

Commit f6dcbba

Browse files
bshafferbshaffer
committed
Merge pull request bshaffer#695 from bshaffer/Maks3w-hotfix/663
Fix for bshaffer#663 and Test case
2 parents 7d269a1 + e6b1e69 commit f6dcbba

File tree

3 files changed

+26
-1
lines changed

3 files changed

+26
-1
lines changed

src/OAuth2/Controller/AuthorizeController.php

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -341,9 +341,14 @@ protected function validateRedirectUri($inputUri, $registeredUriString)
341341
return true;
342342
}
343343
} else {
344+
$registered_uri_length = strlen($registered_uri);
345+
if ($registered_uri_length === 0) {
346+
return false;
347+
}
348+
344349
// the input uri is validated against the registered uri using case-insensitive match of the initial string
345350
// i.e. additional query parameters may be applied
346-
if (strcasecmp(substr($inputUri, 0, strlen($registered_uri)), $registered_uri) === 0) {
351+
if (strcasecmp(substr($inputUri, 0, $registered_uri_length), $registered_uri) === 0) {
347352
return true;
348353
}
349354
}

test/OAuth2/Controller/AuthorizeControllerTest.php

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -178,6 +178,22 @@ public function testInvalidRedirectUri()
178178
$this->assertEquals($response->getParameter('error_description'), 'The redirect URI provided is missing or does not match');
179179
}
180180

181+
public function testInvalidRedirectUriApprovedByBuggyRegisteredUri()
182+
{
183+
$server = $this->getTestServer();
184+
$server->setConfig('require_exact_redirect_uri', false);
185+
$request = new Request(array(
186+
'client_id' => 'Test Client ID with Buggy Redirect Uri', // valid client id
187+
'redirect_uri' => 'http://adobe.com', // invalid redirect URI
188+
'response_type' => 'code',
189+
));
190+
$server->handleAuthorizeRequest($request, $response = new Response(), true);
191+
192+
$this->assertEquals($response->getStatusCode(), 400);
193+
$this->assertEquals($response->getParameter('error'), 'redirect_uri_mismatch');
194+
$this->assertEquals($response->getParameter('error_description'), 'The redirect URI provided is missing or does not match');
195+
}
196+
181197
public function testNoRedirectUriWithMultipleRedirectUris()
182198
{
183199
$server = $this->getTestServer();

test/config/storage.json

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,10 @@
4242
"client_secret": "TestSecret2",
4343
"redirect_uri": "http://brentertainment.com"
4444
},
45+
"Test Client ID with Buggy Redirect Uri": {
46+
"client_secret": "TestSecret2",
47+
"redirect_uri": " http://brentertainment.com"
48+
},
4549
"Test Client ID with Multiple Redirect Uris": {
4650
"client_secret": "TestSecret3",
4751
"redirect_uri": "http://brentertainment.com http://morehazards.com"

0 commit comments

Comments
 (0)