handle case broken in error handling - IPv6 URL

Author: AlanCoding

oauth2_provider/validators.py

@@ -27,7 +27,10 @@ def __call__(self, value):
             # Trivial case failed. Try for possible IDN domain
             if value:
                 value = force_text(value)
-                scheme, netloc, path, query, fragment = urlsplit(value)
+                try:
+                    scheme, netloc, path, query, fragment = urlsplit(value)
+                except ValueError as e:
+                    raise ValidationError("Cannot parse Redirect URI. Error: {}".format(e))
                 try:
                     netloc = netloc.encode("idna").decode("ascii")  # IDN -> ACE
                 except UnicodeError:  # invalid domain part

tests/test_validators.py

@@ -28,6 +28,9 @@ def test_validate_bad_uris(self):
         self.assertRaises(ValidationError, validate_uris, bad_uri)
         bad_uri = "http:/example.com"
         self.assertRaises(ValidationError, validate_uris, bad_uri)
+        # Bad IPv6 URL, urlparse behaves differently for these
+        bad_uri = "https://[\"><script>alert()</script>"
+        self.assertRaises(ValidationError, validate_uris, bad_uri)
         bad_uri = "my-scheme://example.com"
         self.assertRaises(ValidationError, validate_uris, bad_uri)
         bad_uri = "sdklfsjlfjljdflksjlkfjsdkl"