Problem
The None attestation format handler in None::validateAttestation() returns true unconditionally without checking the contents of attStmt.
Per W3C WebAuthn spec §8.7 (None Attestation Statement Format):
"If attStmt is a properly formed attestation statement, verify that attStmt is an empty CBOR map."
Currently, an attacker could send an attestation object with fmt: "none" but include arbitrary data in attStmt (e.g. {"foo": "bar"}) and it would be silently accepted.
Suggested fix
Add a check at the top of None::validateAttestation() that verifies attStmt is empty:
if (\count($this->_attestationObject['attStmt']) > 0) {
throw new WebAuthnException('invalid none attestation: attStmt must be empty', WebAuthnException::INVALID_DATA);
}
Problem
The
Noneattestation format handler inNone::validateAttestation()returnstrueunconditionally without checking the contents ofattStmt.Per W3C WebAuthn spec §8.7 (None Attestation Statement Format):
Currently, an attacker could send an attestation object with
fmt: "none"but include arbitrary data inattStmt(e.g.{"foo": "bar"}) and it would be silently accepted.Suggested fix
Add a check at the top of
None::validateAttestation()that verifiesattStmtis empty: