- From: Soares Chen via GitHub <sysbot+gh@w3.org>
- Date: Tue, 22 Aug 2017 02:51:41 +0000
- To: public-webrtc-logs@w3.org
In ietf-security-arch: > The path, starting with "/.well-known/idp-proxy/" and appended with the IdP protocol. Note that the separator characters '/' (%2F) and '\' (%5C) MUST NOT be permitted in the protocol field, lest an attacker be able to direct requests outside of the controlled "/.well-known/" prefix. Query and fragment values MAY be used by including '?' or '#' characters. This makes me realize that this PR is dealing with `protocol` in `RTCIdentityProviderDetails`, while #1500 mentions `protocol` in `RTCIdentityProviderOptions`. `RTCIdentityProviderDetails` is returned from the IdP proxy, which means there is an issue of whether we want to validate both `domain` and `protocol` returned are well formed, and make methods that invoke "Requesting Identity Assertions" fail if they are not. That being said, an attacker can serialize arbitrary assertion string into the SDP and pass it to a remote peer. In such case it should result in failure in lower level libraries and cause `setRemoteDescription` to fail. So it probably doesn't matter much if the local peer doesn't catch the error early. -- GitHub Notification of comment by soareschen Please view or discuss this issue at https://github.com/w3c/webrtc-pc/pull/1538#issuecomment-323904799 using your GitHub account
Received on Tuesday, 22 August 2017 02:51:40 UTC