diff options
| author | jwijenbergh <jeroenwijenbergh@protonmail.com> | 2022-10-17 10:51:35 +0200 |
|---|---|---|
| committer | jwijenbergh <jeroenwijenbergh@protonmail.com> | 2022-10-17 10:51:35 +0200 |
| commit | 4e834896a1c68cd536971dcfff7c3afbcff637ae (patch) | |
| tree | 5614ed19ec512904d1f09773ed607c8550116961 /internal/util/util.go | |
| parent | d615578b89f1f10d0f057315a58a29c30f1f8693 (diff) | |
OAuth: Implement Authorization Server Issuer Identification (ISS)
- This patch implements ISS checking according to RFC 9207
https://datatracker.ietf.org/doc/html/rfc9207
- This tries to prevent so called "mix-up" attacks where the client is
fooled into authorizing with an honest AS through a malicious entity
Diffstat (limited to 'internal/util/util.go')
| -rw-r--r-- | internal/util/util.go | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/internal/util/util.go b/internal/util/util.go index f9e2f7b..a8abd80 100644 --- a/internal/util/util.go +++ b/internal/util/util.go @@ -5,6 +5,7 @@ import ( "fmt" "net/url" "os" + "path" "strings" "time" @@ -23,6 +24,11 @@ func EnsureValidURL(s string) (string, error) { if parsedURL.Scheme == "" { parsedURL.Scheme = "https" } + if parsedURL.Path != "" { + // Clean the path + // https://pkg.go.dev/path#Clean + parsedURL.Path = path.Clean(parsedURL.Path) + } return parsedURL.String(), nil } |