Add syntax check of get_default_redirect_uri

Authorization Code was missing this check, whereas Implicit was checking it.
author: Jonathan Huot <jonathan.huot@thomsonreuters.com> 2018-07-30 15:07:05 +0200
committer: Jonathan Huot <jonathan.huot@thomsonreuters.com> 2018-07-30 15:07:05 +0200
commit: 3a769e29c2a94bad3460ab09f748569432257396 (patch)
tree: dde9b0a9829614356ddf09358503ddba1e5f768a
parent: fbacd77b602e4c60f8da2413c150fa7f20b2f83c (diff)
download: oauthlib-3a769e29c2a94bad3460ab09f748569432257396.tar.gz
2 files changed, 18 insertions, 0 deletions
diff --git a/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py b/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py
index 0660263..3d08871 100644
--- a/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py
+++ b/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py
@@ -312,6 +312,8 @@ class AuthorizationCodeGrant(GrantTypeBase):
             log.debug('Using default redirect_uri %s.', request.redirect_uri)
             if not request.redirect_uri:
                 raise errors.MissingRedirectURIError(request=request)
+            if not is_absolute_uri(request.redirect_uri):
+                raise errors.InvalidRedirectURIError(request=request)
 
         # Then check for normal errors.
 
diff --git a/tests/oauth2/rfc6749/endpoints/test_error_responses.py b/tests/oauth2/rfc6749/endpoints/test_error_responses.py
index 875b3a5..de0d834 100644
--- a/tests/oauth2/rfc6749/endpoints/test_error_responses.py
+++ b/tests/oauth2/rfc6749/endpoints/test_error_responses.py
@@ -44,6 +44,22 @@ class ErrorResponseTest(TestCase):
         self.assertRaises(errors.InvalidRedirectURIError,
                 self.mobile.create_authorization_response, uri.format('token'), scopes=['foo'])
 
+    def test_invalid_default_redirect_uri(self):
+        uri = 'https://example.com/authorize?response_type={0}&client_id=foo'
+        self.validator.get_default_redirect_uri.return_value = "wrong"
+
+        # Authorization code grant
+        self.assertRaises(errors.InvalidRedirectURIError,
+                self.web.validate_authorization_request, uri.format('code'))
+        self.assertRaises(errors.InvalidRedirectURIError,
+                self.web.create_authorization_response, uri.format('code'), scopes=['foo'])
+
+        # Implicit grant
+        self.assertRaises(errors.InvalidRedirectURIError,
+                self.mobile.validate_authorization_request, uri.format('token'))
+        self.assertRaises(errors.InvalidRedirectURIError,
+                self.mobile.create_authorization_response, uri.format('token'), scopes=['foo'])
+
     def test_missing_redirect_uri(self):
         uri = 'https://example.com/authorize?response_type={0}&client_id=foo'
author	Jonathan Huot <jonathan.huot@thomsonreuters.com>	2018-07-30 15:07:05 +0200
committer	Jonathan Huot <jonathan.huot@thomsonreuters.com>	2018-07-30 15:07:05 +0200
commit	3a769e29c2a94bad3460ab09f748569432257396 (patch)
tree	dde9b0a9829614356ddf09358503ddba1e5f768a
parent	fbacd77b602e4c60f8da2413c150fa7f20b2f83c (diff)
download	oauthlib-3a769e29c2a94bad3460ab09f748569432257396.tar.gz