From 3ee88196da173f86290921f65b04223b2779970e Mon Sep 17 00:00:00 2001 From: Scott Helme Date: Fri, 27 Mar 2026 19:41:51 +0000 Subject: [PATCH] Fix _checkOrigin() to require domain boundary check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The suffix regex accepted lookalike domains (e.g. evil-example.com for RP ID example.com). Replace with exact match or dot-boundary subdomain check per W3C WebAuthn Level 2 spec §7.1 Step 5 / §7.2 Step 9. --- src/WebAuthn.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/WebAuthn.php b/src/WebAuthn.php index f2eb755..0f17c36 100644 --- a/src/WebAuthn.php +++ b/src/WebAuthn.php @@ -636,9 +636,12 @@ private function _checkOrigin($origin) { $host = \parse_url($origin, PHP_URL_HOST); $host = \trim($host, '.'); - // The RP ID must be equal to the origin's effective domain, or a registrable - // domain suffix of the origin's effective domain. - return \preg_match('/' . \preg_quote($this->_rpId) . '$/i', $host) === 1; + // The RP ID must be equal to the origin's effective domain, or the + // origin's host must be a subdomain of the RP ID (i.e. preceded by a dot). + if (\strcasecmp($host, $this->_rpId) === 0) { + return true; + } + return \str_ends_with(\strtolower($host), '.' . \strtolower($this->_rpId)); } /**