New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security considerations around both "bad" icon URIs and "bad" names #151
Comments
Very good comment Eve. We should generalise because it refers to the On Mon, 8 Jun 2015 20:25 Eve Maler notifications@github.com wrote:
|
Come to think of it, only a URI would have the infection vulnerability (which icon_uri would have explicitly, and perhaps a resource type could have implicitly if the string is a URI that the application tries to dereference). A resource set name, scope name, or resource set type only explicitly have the confusion vulnerability. I suppose we should put some thought into the angle of a resource set type confusing somebody other than a human resource owner, since its point is presumably to be machine-readable... |
I'm not sure I understand the distinction -- this is, effectively, a vulnerability on the part of the AS's frontend system. If an RS registers a resource set called (Actually I'm not sure what the direct threat is with an image URI -- other than the wrong image being displayed -- since the AS would presumably render that image inside of an |
Some context: https://tools.ietf.org/html/rfc7591#section-5, paragraph 6.
|
BTW, what does it mean "URIs resolve to valid web pages."? Is there a definition of a "valid web page"? |
… the second part of the third paragraph in RSR Sec 4 should come out. We don't want to add any SHOULDs.
As discussed on UMA telecon 2015-08-27: "We shouldn't have the AS check for URI host/scheme matching, so the second part of the third paragraph in RSR Sec 4 should come out. We don't want to add any SHOULDs." We can close this, presuming Maciej has already implemented amendments made on the call. |
RSR Sec 4 talks about how "A malicious resource server could register a bad icon URI at an authorization server, "infecting" the authorization server either when the icon is retrieved or by confusing a human resource owner about the nature of the resource set being protected." However, the same is true for a scope or resource set name, not just an icon_uri. This should be mentioned as well.
The text was updated successfully, but these errors were encountered: