Call out IP based client_id should not be fetched

indieweb / indieauth

IndieAuth.net website code and IndieAuth Specification

52 stars 7 forks source link

Call out IP based client_id should not be fetched #106

Closed sebsel closed 2 years ago

sebsel commented 2 years ago

The IndieAuth specs says: "Additionally, host names MUST be domain names or a loopback interface and MUST NOT be IPv4 or IPv6 addresses except for IPv4 127.0.0.1 or IPv6 [::1]."

And further down: "The authorization endpoint SHOULD fetch the client_id URL to retrieve application information [...]"

Is that a good idea if it can point to 127.0.0.1 / localhost? Sounds like the start of scary things.

This is my attempt to fix that. Hope I picked the right place and words.

sebsel commented 2 years ago

Thinking out loud: if this is the case, then should localhost be listed too? Feels like this opens a large set of other hosts too that we can't all mention but can be local too.

aaronpk commented 2 years ago

This makes sense. Separately, we can recommend that the server resolve the domain name first and not fetch the URL if it resolves to an IP address in the loopback (RFC 5735) or other restricted range. (e.g. i can make a domain name localhost.example.com that resolves to 127.1.1.1 which is also a loopback address) I'll add that as a separate commit.