Commit 1a2de167 authored by Clément OUDOT's avatar Clément OUDOT

Reject invalid OIDC scopes (#1599)

parent c6ff9dcf
Pipeline #3768 passed with stages
in 10 minutes and 43 seconds
......@@ -14,7 +14,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
PE_UNAUTHORIZEDPARTNER
);
our $VERSION = '2.0.0';
our $VERSION = '2.0.1';
extends 'Lemonldap::NG::Portal::Main::Issuer',
'Lemonldap::NG::Portal::Lib::OpenIDConnect',
......@@ -306,6 +306,13 @@ sub run {
return $self->reAuth($req);
}
# Check scope validity
unless ( $oidc_request->{'scope'} =~ /^[a-zA-Z_\-\s]+$/ ) {
$self->logger->error( "Submitted scope is not valid: "
. $oidc_request->{'scope'} );
return PE_ERROR;
}
# Check openid scope
unless ( $oidc_request->{'scope'} =~ /\bopenid\b/ ) {
$self->logger->debug("No openid scope found");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment