[OpenID] OpenID 2.0 spec security improvement suggestion
Andrew Arnott
andrewarnott at gmail.com
Wed Mar 11 18:17:21 UTC 2009
In OpenID 2.0 section 11.1, we see the following requirement regarding
verifying the openid.return_to parameter:
Any query parameters that are present in the "openid.return_to" URL MUST
also be present with the same values in the URL of the HTTP request the RP
received.
But consider this incoming RP message: (I didn't bother properly URL
encoding it since that would just make it harder to read)
http://rp/authenticate?a=b&a=c&openid.return_to=http%3a%2f%2frp%2fauthenticate%3fa%3db&openid.*(other
openid parameters)
In the above GET request, the openid.return_to value has a decoded value of
http://rp/authenticate?a=b. You can see that the incoming request matches
the requirements as they all keys exist with the same values. However, some
keys (specifically 'a' in this example) show up multiple times, and have
different values. Depending on the library, this could have adverse
security or undesirable altering affects.
I wonder if we should enhance the 2.1 spec to say that the same keys must
not appear more than they do in the return_to URL.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090311/720eb1f3/attachment-0001.htm>
More information about the general
mailing list