Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ClientData verification fails for AppID with subpath #18

Open
thmo opened this issue Mar 3, 2020 · 0 comments
Open

ClientData verification fails for AppID with subpath #18

thmo opened this issue Mar 3, 2020 · 0 comments

Comments

@thmo
Copy link

thmo commented Mar 3, 2020

This code

u2f/util.go

Lines 107 to 116 in d21a03e

foundFacetID := false
for _, facetID := range challenge.TrustedFacets {
if facetID == cd.Origin {
foundFacetID = true
break
}
}
if !foundFacetID {
return errors.New("u2f: untrusted facet id")
}

compares the facetID to be equal to the Origin, as reported by the client. However, the specs say:

If the caller's FacetID is an https:// Origin sharing the same host as the AppID, (e.g. if an application hosted at https://fido.example.com/myApp set an AppID of https://fido.example.com/myAppId), no additional processing is necessary and the operation may proceed.

The check should be modified to reflect that, i.e. accept an Origin shareing the same host as the AppID.

The issue came up here: go-gitea/gitea#10231
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@thmo