From 2f31ceddf8e41b891b1e72a1fb71773b026fbfb7 Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Wed, 10 May 2017 17:39:59 -0400
Subject: [PATCH] set redirect URI matching to strict by default

---
 CHANGELOG.md                                                    | 2 ++
 .../oauth2/service/impl/BlacklistAwareRedirectResolver.java     | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a92b0be97..ea08bd561 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,7 @@
 Unreleased:
 	- Added changelog
+	- Set default redirect URI resolver strict matching to true
+	- Fixed XSS vulnerability on redirect URI display on approval page
 
 *1.3.1*:
 	- Added End Session endpoint
diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/BlacklistAwareRedirectResolver.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/BlacklistAwareRedirectResolver.java
index 2cc571a90..155d6f84d 100644
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/BlacklistAwareRedirectResolver.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/BlacklistAwareRedirectResolver.java
@@ -47,7 +47,7 @@ public class BlacklistAwareRedirectResolver extends DefaultRedirectResolver {
 	@Autowired
 	private ConfigurationPropertiesBean config;
 
-	private boolean strictMatch = false;
+	private boolean strictMatch = true;
 
 	/* (non-Javadoc)
 	 * @see org.springframework.security.oauth2.provider.endpoint.RedirectResolver#resolveRedirect(java.lang.String, org.springframework.security.oauth2.provider.ClientDetails)