Check for valid return_to url

2 files changed, 7 insertions, 1 deletions

diff --git a/Build.PL b/Build.PL
index e6d5eb0..ca06808 100644
--- a/Build.PL
+++ b/Build.PL
@@ -13,12 +13,13 @@ my $builder = Module::Build->new(
         'perl'                                       => '5.010',
         'Catalyst::Runtime'                          => '5.7014',
         'Net::OpenID::Server'                        => '1.02',
-        'Catalyst::View::XSLT'                       => 0,
+        'Catalyst::View::XSLT'                       => '0',
         'Catalyst::Plugin::Cache::Memcached'         => '0.6',
         'Catalyst::Plugin::Session'                  => '0',
         'Catalyst::Plugin::Session::State::Cookie'   => '0',
         'Catalyst::Plugin::Session::Store::FastMmap' => '0',
         'Crypt::SSLeay'                              => '0',
+        'Regexp::Common'                             => '0',
 
     },
     add_to_cleanup       => ['PAUSE-OpenID-*'],
diff --git a/lib/PAUSE/OpenID/Controller/Root.pm b/lib/PAUSE/OpenID/Controller/Root.pm
index 6ffa03b..13f165f 100644
--- a/lib/PAUSE/OpenID/Controller/Root.pm
+++ b/lib/PAUSE/OpenID/Controller/Root.pm
@@ -5,6 +5,7 @@ use warnings;
 use parent 'Catalyst::Controller';
 
 use LWP::UserAgent;
+use Regexp::Common qw /URI/;
 
 #
 # Sets the actions in this controller to be registered with no prefix
@@ -41,6 +42,10 @@ sub index :Path :Args(0) {
         #$c->flash->{xml} = '<document><error_message>Missing parameter</error_message></document>';
         $c->res->redirect($c->uri_for('/error'));
     }
+    elsif ( $return_to !~ /$RE{URI}{HTTP}/ ) { #{'-scheme'=>'P'}
+        #$c->flash->{xml} = '<document><error_message>Invalid URI</error_message></document>';
+        $c->res->redirect($c->uri_for('/error'));
+    }
 
     # TODO: generate XML programatically
     $c->stash->{xml} = sprintf('<document><config key="url" value="%s"/></document>', $c->config->{'PAUSE::OpenID'}{'baseurl'});