From d38328976e2c8bb0fab91e656042a0d8ac37bc76 Mon Sep 17 00:00:00 2001
From: JoramWilander <jwawilander@gmail.com>
Date: Wed, 6 Sep 2017 16:24:34 -0400
Subject: Various patches

---
 api4/oauth.go | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'api4/oauth.go')

diff --git a/api4/oauth.go b/api4/oauth.go
index ae5035fdc..392129143 100644
--- a/api4/oauth.go
+++ b/api4/oauth.go
@@ -57,6 +57,10 @@ func createOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		oauthApp.IsTrusted = false
+	}
+
 	oauthApp.CreatorId = c.Session.UserId
 
 	rapp, err := app.CreateOAuthApp(oauthApp)
@@ -298,6 +302,11 @@ func authorizeOAuthPage(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !oauthApp.IsValidRedirectURL(authRequest.RedirectUri) {
+		utils.RenderWebError(model.NewAppError("authorizeOAuthPage", "api.oauth.allow_oauth.redirect_callback.app_error", nil, "", http.StatusBadRequest), w, r)
+		return
+	}
+
 	isAuthorized := false
 
 	if _, err := app.GetPreferenceByCategoryAndNameForUser(c.Session.UserId, model.PREFERENCE_CATEGORY_AUTHORIZED_OAUTH_APP, authRequest.ClientId); err == nil {
-- 
cgit v1.2.3-1-g7c22