[webrtc-pc] Pull Request: Validate protocol string in IdP operations

soareschen has just submitted a new pull request for https://github.com/w3c/webrtc-pc:

== Validate protocol string in IdP operations ==
Fixes #1500.

This is based the protocol field defined in [ietf-rtcweb-security-arch](https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-12#section-5.6.5):

> protocol:  The specific IdP protocol which the IdP is using.  This is a completely opaque IdP-specific string, but allows an IdP to implement two protocols in parallel.  This value may be the empty string.  If no value for protocol is provided, a value of "default" is used.

> Note that the separator characters '/' (%2F) and '\\' (%5C) MUST NOT be permitted in the protocol field, lest an attacker be able to direct requests outside of the controlled "/.well-known/" prefix.  Query and fragment values MAY be used by including '?' or '#' characters.

The spec is not clear of how "opaque" the protocol can be in respect to the well-formness of the URI format. They way I interpret this is that the provider string may contain the path, query, and fragment components of a URI, and each component will be normalized accordingly when forming the well-known URI for the IdP proxy, e.g. invalid characters will be percent-encoded.

Since anything can be percent encoded, that means protocol may contain arbitrary characters other than "/" and "\\" which are explicitly forbidden. Here the percent encoded strings "%2F" and "%5C" are not banned, because my understanding is that percent encoding will be done by the browser instead of the application.

This PR differs with the approach in #1538. #1538 does not cover percent encoding and the query/fragment component. We might want to discuss more on whether it is the browser or application responsibility to encode the protocol field as well-formed URI.

See https://github.com/w3c/webrtc-pc/pull/1608

Received on Tuesday, 19 September 2017 09:41:14 UTC