Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
LNURLp extension not enforcing domain constraints on `successAction`
See original GitHub issueAs @Perlover discovered in Fittiboy/bitcoin-on-twitch#9, it is possible to set a successAction url that doesn’t match the callback url used during the payment flow. This is not allowed according to the spec:
{
tag: 'url'
description: 'Thank you for your purchase. Here is your order details' // Up to 144 characters
url: 'https://www.ln-service.com/order/<orderId>' // url domain must be the same as `callback` domain at step 3
}
It is enforced by at least BLW, and potentially other wallets.
Changing success_url to success_path, and appending this to the domain used during the payment flow would solve this problem.
Issue Analytics
- State:
- Created 2 years ago
- Comments:11 (5 by maintainers)
Top Results From Across the Web
[2105.08619] On the Robustness of Domain Constraints - arXiv
In this paper, we explore how domain constraints limit adversarial ... (2) domain constraints are robust to adversarial examples; enforcing ...
Read more >grails - Domain constraints not working - Stack Overflow
I have a domain class under the domain folder on Grails. I have a simple User entity with a String username attribute and...
Read more >Documentation: 15: ALTER DOMAIN - PostgreSQL
This method is reliable because once the constraint is committed, all new transactions are guaranteed to enforce it against new values of the...
Read more >On the Robustness of Domain Constraints - ACM Digital Library
In this paper, we explore how domain constraints limit adversarial ... (2) domain constraints are robust to adversarial examples; enforcing ...
Read more >Domain Constraints Dialog — pgAdmin 4 6.18 documentation
Use the Domain Constraints dialog to create or modify a domain constraint. A domain constraint confirms that the values provided for a domain...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Following redirects apparently can be disabled on client side which BLW does not do currently, but it will.
This is correct, yes. But I do actually see the point now. When the spec is enforced, a user could not go to a service like https://lnbits.com and create a lnurl-pay link with a malicious
successActionurl.Edit: In order to add a malicious url, one of two things is necessary:
If the spec is enforced, the site owner has full control over whether or not redirects are allowed.