diff options
| author | RussellAult <RussellAult@users.noreply.github.com> | 2019-11-10 15:49:57 -0700 |
|---|---|---|
| committer | Roeland Jago Douma <roeland@famdouma.nl> | 2019-11-13 14:05:03 +0100 |
| commit | 19791b2460bf7cdf17437d9ebab4d83b60270a3f (patch) | |
| tree | a57d66b1926a3787e107ae7397294951492a7c5d | |
| parent | d9204f61ead5f5c95cbef21a5d6fc40ac2d1861a (diff) | |
| download | nextcloud-server-19791b2460bf7cdf17437d9ebab4d83b60270a3f.tar.gz nextcloud-server-19791b2460bf7cdf17437d9ebab4d83b60270a3f.zip | |
Check getRedirectUri() for queries
Resolves Issue #17885
Check getRedirectUri() for queries, and add a '&' instead of a '?' to $redirectUri if it already has them; otherwise, $redirectUri might end up with two '?'.
Signed-off-by: RussellAult <russellault@users.noreply.github.com>
| -rw-r--r-- | core/Controller/ClientFlowLoginController.php | 14 | ||||
| -rw-r--r-- | tests/Core/Controller/ClientFlowLoginControllerTest.php | 15 |
2 files changed, 23 insertions, 6 deletions
diff --git a/core/Controller/ClientFlowLoginController.php b/core/Controller/ClientFlowLoginController.php index bffedf19224..ba594469a7f 100644 --- a/core/Controller/ClientFlowLoginController.php +++ b/core/Controller/ClientFlowLoginController.php @@ -6,6 +6,7 @@ * @author Lukas Reschke <lukas@statuscode.ch> * @author Morris Jobke <hey@morrisjobke.de> * @author Roeland Jago Douma <roeland@famdouma.nl> + * @author Russell Ault <russell@auksnest.ca> * * @license GNU AGPL version 3 or any later version * @@ -337,9 +338,16 @@ class ClientFlowLoginController extends Controller { $accessToken->setTokenId($generatedToken->getId()); $this->accessTokenMapper->insert($accessToken); - $redirectUri = sprintf( - '%s?state=%s&code=%s', - $client->getRedirectUri(), + $redirectUri = $client->getRedirectUri(); + + if (parse_url($redirectUri, PHP_URL_QUERY)) { + $redirectUri .= '&'; + } else { + $redirectUri .= '?'; + } + + $redirectUri .= sprintf( + 'state=%s&code=%s', urlencode($this->session->get('oauth.state')), urlencode($code) ); diff --git a/tests/Core/Controller/ClientFlowLoginControllerTest.php b/tests/Core/Controller/ClientFlowLoginControllerTest.php index 50280e18371..1401eac67d8 100644 --- a/tests/Core/Controller/ClientFlowLoginControllerTest.php +++ b/tests/Core/Controller/ClientFlowLoginControllerTest.php @@ -398,7 +398,16 @@ class ClientFlowLoginControllerTest extends TestCase { $this->assertEquals($expected, $this->clientFlowLoginController->generateAppPassword('MyStateToken')); } - public function testGeneratePasswordWithPasswordForOauthClient() { + /** + * @param string $redirectUri + * @param string $redirectUrl + * + * @testWith + * ["https://example.com/redirect.php", "https://example.com/redirect.php?state=MyOauthState&code=MyAccessCode"] + * ["https://example.com/redirect.php?hello=world", "https://example.com/redirect.php?hello=world&state=MyOauthState&code=MyAccessCode"] + * + */ + public function testGeneratePasswordWithPasswordForOauthClient($redirectUri, $redirectUrl) { $this->session ->expects($this->at(0)) ->method('get') @@ -471,7 +480,7 @@ class ClientFlowLoginControllerTest extends TestCase { ->willReturn($token); $client = new Client(); $client->setName('My OAuth client'); - $client->setRedirectUri('https://example.com/redirect.php'); + $client->setRedirectUri($redirectUri); $this->clientMapper ->expects($this->once()) ->method('getByIdentifier') @@ -481,7 +490,7 @@ class ClientFlowLoginControllerTest extends TestCase { $this->eventDispatcher->expects($this->once()) ->method('dispatch'); - $expected = new Http\RedirectResponse('https://example.com/redirect.php?state=MyOauthState&code=MyAccessCode'); + $expected = new Http\RedirectResponse($redirectUrl); $this->assertEquals($expected, $this->clientFlowLoginController->generateAppPassword('MyStateToken', 'MyClientIdentifier')); } |