From 9501c630960457ee37b4a4d91d2490114381e1bf Mon Sep 17 00:00:00 2001 From: Stephen Goodey Date: Fri, 24 Jun 2016 14:26:31 +0100 Subject: [PATCH] Fix for ensuring the redirect uri is identical across the initial authorization code request and the access token request --- lib/OAuth2.php | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/lib/OAuth2.php b/lib/OAuth2.php index 31da279..e9e98c4 100644 --- a/lib/OAuth2.php +++ b/lib/OAuth2.php @@ -888,12 +888,8 @@ protected function grantAccessTokenAuthCode(IOAuth2Client $client, array $input) throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_GRANT, "Code doesn't exist or is invalid for the client"); } - // Validate the redirect URI. If a redirect URI has been provided on input, it must be validated - if ($input["redirect_uri"] && !$this->validateRedirectUri( - $input["redirect_uri"], - $authCode->getRedirectUri() - ) - ) { + // Validate the redirect URI. If a redirect URI has been provided on input, it must be identical + if ($input["redirect_uri"] && $input["redirect_uri"] === $authCode->getRedirectUri()) { throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, "The redirect URI is missing or do not match"); } @@ -1501,7 +1497,7 @@ private function getJsonHeaders() * Internal method for validating redirect URI supplied * * @param string $inputUri - * @param string|array $storedUris + * @param array $storedUris * * @return bool */ @@ -1525,10 +1521,6 @@ protected function validateRedirectUri($inputUri, $storedUris) } } - if (!is_array($storedUris)) { - $storedUris = array($storedUris); - } - foreach ($storedUris as $storedUri) { if (strcasecmp(substr($inputUri, 0, strlen($storedUri)), $storedUri) === 0) { return true;