From aac54d63f205b8d4d51dd81546e251f9501ef057 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Thu, 16 Aug 2018 02:44:10 -0600 Subject: [PATCH] greenlock checks sni now --- examples/vhost.js | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/examples/vhost.js b/examples/vhost.js index 624491b..9ac1fe9 100644 --- a/examples/vhost.js +++ b/examples/vhost.js @@ -13,7 +13,8 @@ var fs = require('fs'); var finalhandler = require('finalhandler'); var serveStatic = require('serve-static'); var path = require('path'); -var hostnameRe = /^[a-z0-9][\.a-z0-9\-]+$/; +// Allowed characters are a-z,0-9,.,-,_ with TLDs being alpha-only +var hostnameRe = /^[\.a-z0-9_\-]+\.[a-z]+$/i; //require('greenlock-express') require('../').create({ @@ -39,17 +40,13 @@ require('../').create({ return; } - // TODO could test for www/no-www both in directory and IP - var e; + // SECURITY Greenlock validates opts.domains ahead-of-time var hostdir = path.join(srv, opts.domains[0]); - if (!hostnameRe.test(opts.domains[0])) { - e = new Error("rejecting '" + opts.domains[0] + "' because it is not a valid domain name"); - cb(e); - return; - } + // TODO could test for www/no-www both in directory and IP fs.readdir(hostdir, function (err, nodes) { - e = new Error("rejecting '" + opts.domains[0] + "' because '" + hostdir + "' could not be read"); + var e; if (err || !nodes) { + e = new Error("rejecting '" + opts.domains[0] + "' because '" + hostdir + "' could not be read"); console.error(err); console.error(e); cb(e); @@ -74,7 +71,7 @@ require('../').create({ , app: function (req, res) { console.log(req.headers.host); var hostname = (req.headers.host||'').toLowerCase().split(':')[0]; - // sanatize hostname to prevent unauthorized fs access + // SECURITY sanatize hostname to prevent unauthorized fs access if (!hostnameRe.test(hostname)) { res.statusCode = 404; res.end('Bad Hostname');