Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Evaluate URL comparison #27

Open
TimothyBJacobs opened this issue May 21, 2020 · 0 comments
Open

Evaluate URL comparison #27

TimothyBJacobs opened this issue May 21, 2020 · 0 comments
Labels
help wanted Extra attention is needed security Impacts the security of the plugin
Projects
Dynamic Client Auth v1
Milestone
Merge Proposal

Comments

@TimothyBJacobs
Copy link
Member

There are two main places where we compare URLs against each other to ensure they match in someway.

  1. Dynamic Clients. We make sure that the client_uri ( which is what we display in the UI ) is the same host as the redirect_uris and other uris. This currently uses parse_url( PHP_URL_HOST ). Can this be spoofed?

  2. Redirect URIs. We check that the requested redirect_uri is one of the whitelisted redirect_uris. Is this an accurate check?
@TimothyBJacobs TimothyBJacobs added help wanted Extra attention is needed security Impacts the security of the plugin labels May 21, 2020
@TimothyBJacobs TimothyBJacobs added this to the Merge Proposal milestone May 21, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed security Impacts the security of the plugin
Projects
Dynamic Client Auth v1
  
To do
Milestone
Merge Proposal
Development

No branches or pull requests
1 participant
@TimothyBJacobs