fixup! Deny URIs from client that are public suffixes

2025-08-09 04:22:45 +03:00 · 2023-09-15 19:22:49 +02:00
parent bdc375fc6b
commit 21406218aa
1 changed files with 9 additions and 2 deletions
--- a/crates/handlers/src/oauth2/registration.rs
+++ b/crates/handlers/src/oauth2/registration.rs
@@ -171,8 +171,11 @@ fn host_is_public_suffix(url: &Url) -> bool {
        return false;
    }
-    if host.len() < suffix.as_bytes().len() + 2 {
+    // We want to cover two cases:
-        // Host is too short to be a valid domain
+    // - The host is the suffix itself, like `com`
    // - The host is a dot followed by the suffix, like `.com`
    if host.len() <= suffix.as_bytes().len() + 1 {
        // The host only has the suffix in it, so it's a public suffix
        return true;
    }
@@ -323,10 +326,14 @@ mod tests {
            host_is_public_suffix(&Url::parse(url).unwrap())
        }
        assert!(url_is_public_suffix("https://.com"));
        assert!(url_is_public_suffix("https://.com."));
        assert!(url_is_public_suffix("https://co.uk"));
        assert!(url_is_public_suffix("https://github.io"));
        assert!(!url_is_public_suffix("https://example.com"));
        assert!(!url_is_public_suffix("https://example.com."));
        assert!(!url_is_public_suffix("https://x.com"));
        assert!(!url_is_public_suffix("https://x.com."));
        assert!(!url_is_public_suffix("https://matrix-org.github.io"));
        assert!(!url_is_public_suffix("http://localhost"));
        assert!(!url_is_public_suffix("org.matrix:/callback"));