From 3a769e29c2a94bad3460ab09f748569432257396 Mon Sep 17 00:00:00 2001 From: Jonathan Huot Date: Mon, 30 Jul 2018 15:07:05 +0200 Subject: Add syntax check of get_default_redirect_uri Authorization Code was missing this check, whereas Implicit was checking it. --- .../oauth2/rfc6749/grant_types/authorization_code.py | 2 ++ tests/oauth2/rfc6749/endpoints/test_error_responses.py | 16 ++++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py b/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py index 0660263..3d08871 100644 --- a/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py +++ b/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py @@ -312,6 +312,8 @@ class AuthorizationCodeGrant(GrantTypeBase): log.debug('Using default redirect_uri %s.', request.redirect_uri) if not request.redirect_uri: raise errors.MissingRedirectURIError(request=request) + if not is_absolute_uri(request.redirect_uri): + raise errors.InvalidRedirectURIError(request=request) # Then check for normal errors. diff --git a/tests/oauth2/rfc6749/endpoints/test_error_responses.py b/tests/oauth2/rfc6749/endpoints/test_error_responses.py index 875b3a5..de0d834 100644 --- a/tests/oauth2/rfc6749/endpoints/test_error_responses.py +++ b/tests/oauth2/rfc6749/endpoints/test_error_responses.py @@ -44,6 +44,22 @@ class ErrorResponseTest(TestCase): self.assertRaises(errors.InvalidRedirectURIError, self.mobile.create_authorization_response, uri.format('token'), scopes=['foo']) + def test_invalid_default_redirect_uri(self): + uri = 'https://example.com/authorize?response_type={0}&client_id=foo' + self.validator.get_default_redirect_uri.return_value = "wrong" + + # Authorization code grant + self.assertRaises(errors.InvalidRedirectURIError, + self.web.validate_authorization_request, uri.format('code')) + self.assertRaises(errors.InvalidRedirectURIError, + self.web.create_authorization_response, uri.format('code'), scopes=['foo']) + + # Implicit grant + self.assertRaises(errors.InvalidRedirectURIError, + self.mobile.validate_authorization_request, uri.format('token')) + self.assertRaises(errors.InvalidRedirectURIError, + self.mobile.create_authorization_response, uri.format('token'), scopes=['foo']) + def test_missing_redirect_uri(self): uri = 'https://example.com/authorize?response_type={0}&client_id=foo' -- cgit v1.2.1 From 38467a8a001fdbb5ae5661acfcea4e806b82b2b5 Mon Sep 17 00:00:00 2001 From: Jonathan Huot Date: Mon, 6 Aug 2018 19:01:53 +0200 Subject: Implicit was not converting expires_in into integers --- oauthlib/oauth2/rfc6749/parameters.py | 4 ++++ tests/oauth2/rfc6749/clients/test_mobile_application.py | 2 +- tests/oauth2/rfc6749/test_parameters.py | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/oauthlib/oauth2/rfc6749/parameters.py b/oauthlib/oauth2/rfc6749/parameters.py index 9ea8c44..c5127e7 100644 --- a/oauthlib/oauth2/rfc6749/parameters.py +++ b/oauthlib/oauth2/rfc6749/parameters.py @@ -279,6 +279,10 @@ def parse_implicit_response(uri, state=None, scope=None): fragment = urlparse.urlparse(uri).fragment params = dict(urlparse.parse_qsl(fragment, keep_blank_values=True)) + for key in ('expires_in',): + if key in params: # cast things to int + params[key] = int(params[key]) + if 'scope' in params: params['scope'] = scope_to_list(params['scope']) diff --git a/tests/oauth2/rfc6749/clients/test_mobile_application.py b/tests/oauth2/rfc6749/clients/test_mobile_application.py index 51e4dab..622b275 100644 --- a/tests/oauth2/rfc6749/clients/test_mobile_application.py +++ b/tests/oauth2/rfc6749/clients/test_mobile_application.py @@ -40,7 +40,7 @@ class MobileApplicationClientTest(TestCase): token = { "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "example", - "expires_in": "3600", + "expires_in": 3600, "expires_at": 4600, "scope": scope, "example_parameter": "example_value" diff --git a/tests/oauth2/rfc6749/test_parameters.py b/tests/oauth2/rfc6749/test_parameters.py index 6ba98c0..b211d1e 100644 --- a/tests/oauth2/rfc6749/test_parameters.py +++ b/tests/oauth2/rfc6749/test_parameters.py @@ -86,7 +86,7 @@ class ParameterTests(TestCase): 'access_token': '2YotnFZFEjr1zCsicMWpAA', 'state': state, 'token_type': 'example', - 'expires_in': '3600', + 'expires_in': 3600, 'expires_at': 4600, 'scope': ['abc'] } -- cgit v1.2.1 From d5d843de71e2ddd6da913971f42beec890f5c3b7 Mon Sep 17 00:00:00 2001 From: Chris Utz Date: Sun, 12 Aug 2018 15:44:38 -0500 Subject: $ and ' are allowed to be unencoded in query strings (#564) --- oauthlib/common.py | 2 +- tests/test_common.py | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/oauthlib/common.py b/oauthlib/common.py index f25656f..c1180e6 100644 --- a/oauthlib/common.py +++ b/oauthlib/common.py @@ -114,7 +114,7 @@ def decode_params_utf8(params): return decoded -urlencoded = set(always_safe) | set('=&;:%+~,*@!()/?') +urlencoded = set(always_safe) | set('=&;:%+~,*@!()/?\'$') def urldecode(query): diff --git a/tests/test_common.py b/tests/test_common.py index b0ea20d..fb4bd5b 100644 --- a/tests/test_common.py +++ b/tests/test_common.py @@ -39,6 +39,8 @@ class EncodingTest(TestCase): self.assertItemsEqual(urldecode('foo=bar@spam'), [('foo', 'bar@spam')]) self.assertItemsEqual(urldecode('foo=bar/baz'), [('foo', 'bar/baz')]) self.assertItemsEqual(urldecode('foo=bar?baz'), [('foo', 'bar?baz')]) + self.assertItemsEqual(urldecode('foo=bar\'s'), [('foo', 'bar\'s')]) + self.assertItemsEqual(urldecode('foo=$'), [('foo', '$')]) self.assertRaises(ValueError, urldecode, 'foo bar') self.assertRaises(ValueError, urldecode, '%R') self.assertRaises(ValueError, urldecode, '%RA') -- cgit v1.2.1