Re: Security issues in standards (ruby-openid / CVE-2019-11027)
Utkarsh Gupta <email@example.com> writes:
> Just a quick question about this patch since I haven't really tested
> this at all (however aware of the CVE),
> Is checking signature before sending a request to openid.claimed_id URL
> strict enough?
Yes, that is my understanding. If the signature is checked, that makes
it impossible for a third party to change the claimed_id URL, rendering
the attack impossible.
I don't claim to be an expert on this however.
Brian May <firstname.lastname@example.org>