commit: b4271de7700edc460e81fb72c60a4eb1662a5141
parent: d84392c9e05342a70d3a759ac380dcd41f22ed0e
Author: lambda <pleromagit@rogerbraun.net>
Date: Fri, 8 Feb 2019 12:09:43 +0000
Merge branch 'oauth2_strengthening' into 'develop'
OAuth2 security fixes: redirect URI validation, "Mastodon-Local" security breach fix
See merge request pleroma/pleroma!793
Diffstat:
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex b/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex
@@ -26,12 +26,14 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
require Logger
@httpoison Application.get_env(:pleroma, :httpoison)
+ @local_mastodon_name "Mastodon-Local"
action_fallback(:errors)
def create_app(conn, params) do
- with cs <- App.register_changeset(%App{}, params) |> IO.inspect(),
- {:ok, app} <- Repo.insert(cs) |> IO.inspect() do
+ with cs <- App.register_changeset(%App{}, params),
+ false <- cs.changes[:client_name] == @local_mastodon_name,
+ {:ok, app} <- Repo.insert(cs) do
res = %{
id: app.id |> to_string,
name: app.client_name,
@@ -1154,16 +1156,13 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
end
defp get_or_make_app() do
- with %App{} = app <- Repo.get_by(App, client_name: "Mastodon-Local") do
+ find_attrs = %{client_name: @local_mastodon_name, redirect_uris: "."}
+
+ with %App{} = app <- Repo.get_by(App, find_attrs) do
{:ok, app}
else
_e ->
- cs =
- App.register_changeset(%App{}, %{
- client_name: "Mastodon-Local",
- redirect_uris: ".",
- scopes: "read,write,follow"
- })
+ cs = App.register_changeset(%App{}, Map.put(find_attrs, :scopes, "read,write,follow"))
Repo.insert(cs)
end
diff --git a/lib/pleroma/web/oauth/oauth_controller.ex b/lib/pleroma/web/oauth/oauth_controller.ex
@@ -37,6 +37,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
true <- Pbkdf2.checkpw(password, user.password_hash),
{:auth_active, true} <- {:auth_active, User.auth_active?(user)},
%App{} = app <- Repo.get_by(App, client_id: client_id),
+ true <- redirect_uri in String.split(app.redirect_uris),
{:ok, auth} <- Authorization.create_authorization(app, user) do
# Special case: Local MastodonFE.
redirect_uri =