Fix _checkOrigin() to require domain boundary check#123
Conversation
The suffix regex accepted lookalike domains (e.g. evil-example.com for RP ID example.com). Replace with exact match or dot-boundary subdomain check per W3C WebAuthn Level 2 spec §7.1 Step 5 / §7.2 Step 9.
|
This is a sever security issue that needs intimidate addressing IMO. I am currently exploring if to use this lib or the "bigger" https://github.com/web-auth/webauthn-lib. As such I am a bit concerned that this issue here was not addressed since Mar 27, or acked at least. Thank you! |
|
Just a heads-up for anyone landing here: we've published a security-focused fork of this library as report-uri/passkeys-php It already includes this fix, along with several other hardening changes. Huge thanks to @lbuchs for the original work! This PR is still very much open for upstream consideration, but the fork is available in the meantime for anyone who needs the change today. |
|
Thx, I had moved on in the meantime to |
2 participants
Summary
Fixes
_checkOrigin()to enforce a domain boundary when validating the origin against the RP ID, as required by the W3C WebAuthn Level 2 spec (§7.1 Step 5 / §7.2 Step 9).Problem
The existing regex
preg_match('/' . preg_quote($rpId) . '$/i', $host)matches any hostname ending with the RP ID string. For RP IDexample.com, lookalike domains likeevil-example.comandevilexample.comincorrectly pass validation.Fix
Replace the suffix regex with an exact match check (
strcasecmp) and a dot-boundary subdomain check (str_ends_withwith a.prefix). This acceptsexample.comandwww.example.comwhile rejectingevil-example.comandevilexample.com.Closes #122