From d00ed44c3e5c587d7f52e5f1c97b2fb9692ccd7f Mon Sep 17 00:00:00 2001 From: Massimiliano Pippi Date: Thu, 3 Jul 2014 12:38:46 +0200 Subject: [PATCH] specialize URIValidator to validate redirect URIs --- oauth2_provider/tests/test_validators.py | 8 +++++--- oauth2_provider/validators.py | 9 ++++++++- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/oauth2_provider/tests/test_validators.py b/oauth2_provider/tests/test_validators.py index 5a63eca6a..ded4ce828 100644 --- a/oauth2_provider/tests/test_validators.py +++ b/oauth2_provider/tests/test_validators.py @@ -8,10 +8,12 @@ class TestValidators(TestCase): def test_validate_good_uris(self): - good_urls = 'http://example.com/ http://example.it/?key=val' + good_urls = 'http://example.com/ http://example.it/?key=val http://example' # Check ValidationError not thrown validate_uris(good_urls) def test_validate_bad_uris(self): - bad_urls = 'http://example.com http://example' - self.assertRaises(ValidationError, validate_uris, bad_urls) + bad_url = 'http://example.com/#fragment' + self.assertRaises(ValidationError, validate_uris, bad_url) + bad_url = 'http:/example.com' + self.assertRaises(ValidationError, validate_uris, bad_url) \ No newline at end of file diff --git a/oauth2_provider/validators.py b/oauth2_provider/validators.py index 74bd8fc6b..f03485dd6 100644 --- a/oauth2_provider/validators.py +++ b/oauth2_provider/validators.py @@ -40,10 +40,17 @@ def __call__(self, value): url = value +class RedirectURIValidator(URIValidator): + def __call__(self, value): + super(RedirectURIValidator, self).__call__(value) + if len(value.split('#')) > 1: + raise ValidationError('Redirect URIs must not contain fragments') + + def validate_uris(value): """ This validator ensures that `value` contains valid blank-separated urls" """ - v = URIValidator() + v = RedirectURIValidator() for uri in value.split(): v(uri)