Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve validation rules for the verification response 'me' #35

Open
fluffy-critter opened this issue Oct 30, 2019 · 0 comments

Comments

@fluffy-critter
Copy link

@fluffy-critter fluffy-critter commented Oct 30, 2019

The spec as currently written says:

Clients MUST use the resulting me value from the authorization code verification or access token response rather than assume the initially-entered URL is correct, with the following condition:

The resulting profile URL MUST have a matching domain of the initially-entered profile URL.

This ensures that an authorization endpoint is not able to issue valid responses for arbitrary profile URLs.

However this has a security concern in the case of a website with multiple users on a single domain; for example, given sites https://example.com/alice/ and https://example.com/bob/, the bob user could provide an IndieAuth authorization_endpoint that maliciously verifies all codes with a me of https://example.com/alice.

The specification should instead only allow augmentations to the path; for example:

  • https://example.com/alice -> https://example.com/alice/ is valid
  • https://example.com/alice/ -> https://example.com/alice/blog/ is valid

however,

  • https://example.com/bob -> https://example.com/alice is not valid
  • https://example.com/bob -> https://example.com/bob_has_bad_security is not valid
  • https://example.com/bob -> https://example.com/bob/../alice/ is not valid

Possible phrasing:

"The response URL's normalized path is strictly the same as or within a subdirectory of the provided identity URL's path"

@fluffy-critter fluffy-critter changed the title Improve validation rules for the response 'me' Improve validation rules for the verification response 'me' Oct 30, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
1 participant
You can’t perform that action at this time.