None attestation format accepts non-empty attStmt #126
Description
Problem
The None attestation format handler in None::validateAttestation() returns true unconditionally without checking the contents of attStmt.
Per W3C WebAuthn spec §8.7 (None Attestation Statement Format):
"If attStmt is a properly formed attestation statement, verify that attStmt is an empty CBOR map."
Currently, an attacker could send an attestation object with fmt: "none" but include arbitrary data in attStmt (e.g. {"foo": "bar"}) and it would be silently accepted.
Suggested fix
Add a check at the top of None::validateAttestation() that verifies attStmt is empty:
if (\count($this->_attestationObject['attStmt']) > 0) {
throw new WebAuthnException('invalid none attestation: attStmt must be empty', WebAuthnException::INVALID_DATA);
}