Skip to content

Reject invalid backup flags combination BS without BE#129

Open
ScottHelme wants to merge 1 commit intolbuchs:masterfrom
ScottHelme:reject-invalid-backup-flags
Open

Reject invalid backup flags combination BS without BE#129
ScottHelme wants to merge 1 commit intolbuchs:masterfrom
ScottHelme:reject-invalid-backup-flags

Conversation

@ScottHelme
Copy link
Copy Markdown

@ScottHelme ScottHelme commented Mar 27, 2026

Per the W3C WebAuthn spec (§6.3.3 Authenticator Data / Level 3 §6.1), the Backup State (BS) flag cannot be set without the Backup Eligible (BE) flag also being set. This is a logically impossible state — a credential cannot claim to be backed up if it is not eligible for backup.

Currently _readFlags() parses both flags but does not validate this constraint, so crafted authenticatorData with BS=1, BE=0 is silently accepted.

This adds validation after the named flags are assigned:

if ($flags->isBackup && !$flags->isBackupEligible) {
    throw new WebAuthnException('invalid backup flags: BS without BE', WebAuthnException::INVALID_DATA);
}

Fixes #128

@ScottHelme
Reject invalid backup flags combination BS without BE
7531bbb 
Per the WebAuthn spec (§6.3.3 / Level 3 §6.1), Backup State (BS)
cannot be set without Backup Eligible (BE) also being set. This is
a logically impossible state that no legitimate authenticator should
produce.

Fixes lbuchs#128
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Invalid backup flags combination BS=1 BE=0 accepted

1 participant

@ScottHelme