W3C home > Mailing lists > Public > public-webrtc@w3.org > September 2017

[webrtc-pc] Pull Request: Validate protocol string in IdP operations

From: Soares Chen via GitHub <sysbot+gh@w3.org>
Date: Tue, 19 Sep 2017 09:41:22 +0000
To: public-webrtc@w3.org
Message-ID: <pull_request.opened-141802084-1505814069-sysbot+gh@w3.org>
soareschen has just submitted a new pull request for https://github.com/w3c/webrtc-pc:

== Validate protocol string in IdP operations ==
Fixes #1500.

This is based the protocol field defined in [ietf-rtcweb-security-arch](https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-12#section-5.6.5):

> protocol:  The specific IdP protocol which the IdP is using.  This is a completely opaque IdP-specific string, but allows an IdP to implement two protocols in parallel.  This value may be the empty string.  If no value for protocol is provided, a value of "default" is used.

> Note that the separator characters '/' (%2F) and '\\' (%5C) MUST NOT be permitted in the protocol field, lest an attacker be able to direct requests outside of the controlled "/.well-known/" prefix.  Query and fragment values MAY be used by including '?' or '#' characters.

The spec is not clear of how "opaque" the protocol can be in respect to the well-formness of the URI format. They way I interpret this is that the provider string may contain the path, query, and fragment components of a URI, and each component will be normalized accordingly when forming the well-known URI for the IdP proxy, e.g. invalid characters will be percent-encoded.

Since anything can be percent encoded, that means protocol may contain arbitrary characters other than "/" and "\\" which are explicitly forbidden. Here the percent encoded strings "%2F" and "%5C" are not banned, because my understanding is that percent encoding will be done by the browser instead of the application.

This PR differs with the approach in #1538. #1538 does not cover percent encoding and the query/fragment component. We might want to discuss more on whether it is the browser or application responsibility to encode the protocol field as well-formed URI.

See https://github.com/w3c/webrtc-pc/pull/1608
Received on Tuesday, 19 September 2017 09:41:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:51 UTC