From a7857445e3654bdc2d7968e31064349b92399cc7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20Kr=C3=B6ll?= <pepl@cpan.org>
Date: Tue, 2 Dec 2008 00:01:00 +0100
Subject: Check for valid return_to url

---
 lib/PAUSE/OpenID/Controller/Root.pm | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'lib/PAUSE/OpenID/Controller/Root.pm')

diff --git a/lib/PAUSE/OpenID/Controller/Root.pm b/lib/PAUSE/OpenID/Controller/Root.pm
index 6ffa03b..13f165f 100644
--- a/lib/PAUSE/OpenID/Controller/Root.pm
+++ b/lib/PAUSE/OpenID/Controller/Root.pm
@@ -5,6 +5,7 @@ use warnings;
 use parent 'Catalyst::Controller';
 
 use LWP::UserAgent;
+use Regexp::Common qw /URI/;
 
 #
 # Sets the actions in this controller to be registered with no prefix
@@ -41,6 +42,10 @@ sub index :Path :Args(0) {
         #$c->flash->{xml} = '<document><error_message>Missing parameter</error_message></document>';
         $c->res->redirect($c->uri_for('/error'));
     }
+    elsif ( $return_to !~ /$RE{URI}{HTTP}/ ) { #{'-scheme'=>'P'}
+        #$c->flash->{xml} = '<document><error_message>Invalid URI</error_message></document>';
+        $c->res->redirect($c->uri_for('/error'));
+    }
 
     # TODO: generate XML programatically
     $c->stash->{xml} = sprintf('<document><config key="url" value="%s"/></document>', $c->config->{'PAUSE::OpenID'}{'baseurl'});
-- 
cgit v1.2.3