You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cxf.apache.org by co...@apache.org on 2021/01/05 08:45:56 UTC

[cxf-fediz] branch master updated: FEDIZ-253 - Enforce that only http or https is allowed in the OIDC ClientRegistration page

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git


The following commit(s) were added to refs/heads/master by this push:
     new 1dac649  FEDIZ-253 - Enforce that only http or https is allowed in the OIDC ClientRegistration page
1dac649 is described below

commit 1dac649b6c8d511d16744eb9a82b0c79fb27f6a8
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue Jan 5 08:45:24 2021 +0000

    FEDIZ-253 - Enforce that only http or https is allowed in the OIDC ClientRegistration page
---
 .../fediz/service/oidc/clients/ClientRegistrationService.java    | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/clients/ClientRegistrationService.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/clients/ClientRegistrationService.java
index 08eb8db..696b694 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/clients/ClientRegistrationService.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/clients/ClientRegistrationService.java
@@ -465,16 +465,15 @@ public class ClientRegistrationService {
 
     private static boolean isValidURI(String uri, boolean requireHttps) {
 
-        final UrlValidator urlValidator;
+        final String[] schemes;
 
         if (requireHttps) {
-            String[] schemes = {"https"};
-            urlValidator = new UrlValidator(schemes, UrlValidator.ALLOW_LOCAL_URLS);
+            schemes = new String[] {"https"};
         } else {
-            urlValidator = new UrlValidator(UrlValidator.ALLOW_LOCAL_URLS
-                                                     + UrlValidator.ALLOW_ALL_SCHEMES);
+            schemes = new String[] {"https", "http"};
         }
 
+        UrlValidator urlValidator = new UrlValidator(schemes, UrlValidator.ALLOW_LOCAL_URLS);
         if (!urlValidator.isValid(uri)) {
             return false;
         }