git.squeep.com Git - akkoma/commit

author	Ivan Tashkinov <ivantashkinov@gmail.com>
	Thu, 7 Feb 2019 19:14:06 +0000 (22:14 +0300)
committer	Ivan Tashkinov <ivantashkinov@gmail.com>
	Thu, 7 Feb 2019 19:14:06 +0000 (22:14 +0300)
commit	2c68cf7e9ee6718f83f2209e6b009b02b50bc8f4
tree	69d0992f5f10364a993989b6cc16a618b931c6d7	tree \| snapshot
parent	d84392c9e05342a70d3a759ac380dcd41f22ed0e	commit \| diff

OAuth2 security fixes: redirect URI validation, "Mastodon-Local" security breach fix.

(`POST /api/v1/apps` could create "Mastodon-Local" app wth any redirect_uris,
and if that happened before /web/login is accessed for the first time
then Pleroma used this externally created record with arbitrary
redirect_uris and client_secret known by creator).

lib/pleroma/web/mastodon_api/mastodon_api_controller.ex		diff \| blob \| history
lib/pleroma/web/oauth/oauth_controller.ex		diff \| blob \| history

Fork of https://akkoma.dev/AkkomaGang/akkoma.git

RSS Atom