v2.3.9 add options __sni_allow_dangerous_names and __sni_prerve_case
This commit is contained in:
parent
1abd3e43de
commit
20e8d09219
|
@ -443,6 +443,14 @@ The following variables will be tempalted in any strings passed to the options o
|
||||||
* `~/` replaced with `os.homedir()` i.e. `/Users/aj`
|
* `~/` replaced with `os.homedir()` i.e. `/Users/aj`
|
||||||
* `:hostname` replaced with the first domain in the list i.e. `example.com`
|
* `:hostname` replaced with the first domain in the list i.e. `example.com`
|
||||||
|
|
||||||
|
### Dangerous Options
|
||||||
|
|
||||||
|
By default SNI is made to lowercase and is automatically rejected if it contains invalid characters for a domain.
|
||||||
|
This behavior can be modified:
|
||||||
|
|
||||||
|
* `__dns_allow_dangerous_names` allow SNI names like "Robert'); DROP TABLE Students;"
|
||||||
|
* `__dns_preserve_case` passes SNI names such as "ExAMpLE.coM" without converting to lower case
|
||||||
|
|
||||||
Developer API
|
Developer API
|
||||||
-------------
|
-------------
|
||||||
|
|
||||||
|
|
9
index.js
9
index.js
|
@ -432,20 +432,21 @@ Greenlock.create = function (gl) {
|
||||||
if (gl.sni.create) {
|
if (gl.sni.create) {
|
||||||
gl.sni = gl.sni.create(gl);
|
gl.sni = gl.sni.create(gl);
|
||||||
}
|
}
|
||||||
gl.tlsOptions.SNICallback = function (domain, cb) {
|
gl.tlsOptions.SNICallback = function (_domain, cb) {
|
||||||
// format and (lightly) sanitize sni so that users can be naive
|
// format and (lightly) sanitize sni so that users can be naive
|
||||||
// and not have to worry about SQL injection or fs discovery
|
// and not have to worry about SQL injection or fs discovery
|
||||||
domain = (domain||'').toLowerCase();
|
var domain = (_domain||'').toLowerCase();
|
||||||
// hostname labels allow a-z, 0-9, -, and are separated by dots
|
// hostname labels allow a-z, 0-9, -, and are separated by dots
|
||||||
// _ is sometimes allowed
|
// _ is sometimes allowed
|
||||||
if (!/^[a-z0-9_\.\-]+$/i.test(domain) || -1 !== domain.indexOf('..')) {
|
// REGEX // https://www.codeproject.com/Questions/1063023/alphanumeric-validation-javascript-without-regex
|
||||||
|
if (!gl.__sni_allow_dangerous_names && (!/^[a-z0-9_\.\-]+$/i.test(domain) || -1 !== domain.indexOf('..'))) {
|
||||||
log(gl.debug, "invalid sni '" + domain + "'");
|
log(gl.debug, "invalid sni '" + domain + "'");
|
||||||
cb(new Error("invalid SNI"));
|
cb(new Error("invalid SNI"));
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
gl.sni.sniCallback(domain, cb);
|
gl.sni.sniCallback(gl.__sni_preserve_case && _domain || domain, cb);
|
||||||
} catch(e) {
|
} catch(e) {
|
||||||
console.error("[ERROR] Something went wrong in the SNICallback:");
|
console.error("[ERROR] Something went wrong in the SNICallback:");
|
||||||
console.error(e);
|
console.error(e);
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{
|
{
|
||||||
"name": "greenlock",
|
"name": "greenlock",
|
||||||
"version": "2.3.8",
|
"version": "2.3.9",
|
||||||
"description": "Let's Encrypt for node.js on npm",
|
"description": "Let's Encrypt for node.js on npm",
|
||||||
"main": "index.js",
|
"main": "index.js",
|
||||||
"files": [
|
"files": [
|
||||||
|
|
Loading…
Reference in New Issue