Commit 6e7185b
committed
Fix wildcard check_origin vulnerability.
Previously, our documentation points to a wilcard example of:
check_origin: [
"//*.other.com"
]
Which should allow any subdomain of "other.com", but our comparison
for `"//*.other.com"` would allow `api.any-other.com`, which would
allow an attacker to register a domain with a custom prefix of a target
domain and pass origin checks. This patch ensures the `String.ends_with?`
check includes the subdomain dot prefix.
Who is affected?
Only those using a wildcard check origin are affected, and potential
exploits are limited to allowing unauthenticated channel connections
from a bad host. Because LiveView adds its own csrf token to the
connection by default, LiveView applications with wildcard check origin
would refuse connection under this scenario. Additionally, channel
applications utilizing token based authentication would require the
attacker to also have a valid token to connection from a bad host.
Phoenix channels does not allow access to cookies, so an attacker would
also not be able to pass their own cookies from a bad host.1 parent f103409 commit 6e7185b
File tree
2 files changed
+16
-1
lines changed- lib/phoenix/socket
- test/phoenix/socket
2 files changed
+16
-1
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
624 | 624 | | |
625 | 625 | | |
626 | 626 | | |
627 | | - | |
| 627 | + | |
628 | 628 | | |
629 | 629 | | |
630 | 630 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
85 | 85 | | |
86 | 86 | | |
87 | 87 | | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
88 | 94 | | |
89 | 95 | | |
90 | 96 | | |
| |||
93 | 99 | | |
94 | 100 | | |
95 | 101 | | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
96 | 111 | | |
97 | 112 | | |
98 | 113 | | |
| |||
0 commit comments