webnet/tailscale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ipn/ipnlocal: validate domain of PopBrowserURL on default control URL (#11394)

Browse Source 
If the client uses the default Tailscale control URL, validate that all
PopBrowserURLs are under tailscale.com or *.tailscale.com. This reduces
the risk of a compromised control plane opening phishing pages for
example.

The client trusts control for many other things, but this is one easy
way to reduce that trust a bit.

Fixes #11393

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
This commit is contained in:
Andrew Lytvynov
2024-03-13 17:31:07 -07:00
committed by GitHub
parent 48eef9e6eb
commit decd9893e4
3 changed files with 71 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ipn/ipnlocal/local.go
+11 -1
View File
@@ -2503,11 +2503,21 @@ func (b *LocalBackend) validPopBrowserURL(urlStr string) bool {
if err != nil {
return false
}
serverURL := b.Prefs().ControlURLOrDefault()
if ipn.IsLoginServerSynonym(serverURL) {
// When connected to the official Tailscale control plane, only allow
// URLs from tailscale.com or its subdomains.
if h := u.Hostname(); h != "tailscale.com" && !strings.HasSuffix(u.Hostname(), ".tailscale.com") {
return false
}
// When using a different ControlURL, we cannot be sure what legitimate
// PopBrowserURLs they will send. Allow any domain there to avoid
// breaking existing user setups.
}
switch u.Scheme {
case "https":
return true
case "http":
serverURL := b.Prefs().ControlURLOrDefault()
// If the control server is using plain HTTP (likely a dev server),
// then permit http://.
return strings.HasPrefix(serverURL, "http://")