OAuth2 security fixes: redirect URI validation, "Mastodon-Local" security breach fix
- Feb 07, 2019
-
-
Ivan Tashkinov authored
(`POST /api/v1/apps` could create "Mastodon-Local" app wth any redirect_uris, and if that happened before /web/login is accessed for the first time then Pleroma used this externally created record with arbitrary redirect_uris and client_secret known by creator).
2c68cf7e
-