diff options
author | Abhishek Patel <5524161+Abhishek8394@users.noreply.github.com> | 2019-05-12 20:35:00 -0700 |
---|---|---|
committer | Abhishek Patel <5524161+Abhishek8394@users.noreply.github.com> | 2019-05-14 00:37:59 -0700 |
commit | ee06f0f3349d7fd656d35a2eef40ee18fb74e303 (patch) | |
tree | 77c729a7be6b3f7d789d511caf9f67dd941d54dc /oauthlib | |
parent | 047ceccf48ea7ccd4ecc6b48a8ddb6dd4a14abd6 (diff) | |
download | oauthlib-ee06f0f3349d7fd656d35a2eef40ee18fb74e303.tar.gz |
Ban all query parameters on Intropspection, Token and Revocation endpopoint
Diffstat (limited to 'oauthlib')
-rw-r--r-- | oauthlib/oauth2/rfc6749/endpoints/base.py | 12 |
1 files changed, 4 insertions, 8 deletions
diff --git a/oauthlib/oauth2/rfc6749/endpoints/base.py b/oauthlib/oauth2/rfc6749/endpoints/base.py index dc3204b..c99c22d 100644 --- a/oauthlib/oauth2/rfc6749/endpoints/base.py +++ b/oauthlib/oauth2/rfc6749/endpoints/base.py @@ -19,14 +19,12 @@ from oauthlib.common import CaseInsensitiveDict, urldecode log = logging.getLogger(__name__) -BLACKLIST_QUERY_PARAMS = {'client_secret', 'code_verifier'} class BaseEndpoint(object): def __init__(self): self._available = True self._catch_errors = False - self._blacklist_query_params = BLACKLIST_QUERY_PARAMS @property def available(self): @@ -70,12 +68,10 @@ class BaseEndpoint(object): """Raise if invalid POST request received """ if request.http_method.lower() == 'post': - query_params = CaseInsensitiveDict(dict(urldecode(request.uri_query))) - for param in self._blacklist_query_params: - if param in query_params: - raise InvalidRequestError(request=request, - description=('"%s" is not allowed as a url query' +\ - ' parameter') % (param)) + query_params = request.uri_query or "" + if query_params: + raise InvalidRequestError(request=request, + description=('URL query parameters are not allowed')) def catch_errors_and_unavailability(f): @functools.wraps(f) |