10.14. 代码注入和输入验证(10.14. Code Injection and Input Validation)

10.14. 代码注入和输入验证

代码注入攻击当程序使用的输入或其他外部变量未清洗而导致对程序逻辑的修改时发生。 这可能允许攻击者对应用程序的设备或它的数据的访问权限，导致服务拒绝或引入许多的恶意副作用。

授权服务器和客户端必须清洗（并在可能的情况下验证）收到的任何值--特别是，“state”和“redirect_uri”参数的值。

 

10.14. Code Injection and Input Validation

   A code injection attack occurs when an input or otherwise external
   variable is used by an application unsanitized and causes
   modification to the application logic.  This may allow an attacker to
   gain access to the application device or its data, cause denial of
   service, or introduce a wide range of malicious side-effects.

   The authorization server and client MUST sanitize (and validate when
   possible) any value received -- in particular, the value of the
   "state" and "redirect_uri" parameters.