From f2d989ffed765fa4d6abdc95202c758dd4236520 Mon Sep 17 00:00:00 2001
From: AJ ONeal <coolaj86@gmail.com>
Date: Wed, 4 Jul 2018 01:53:40 -0600
Subject: [PATCH] 
 https://git.coolaj86.com/coolaj86/greenlock-express.js/issues/24 lightly
 sanitize sni

---
 index.js | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/index.js b/index.js
index 8f607e5..900b420 100644
--- a/index.js
+++ b/index.js
@@ -389,7 +389,7 @@ Greenlock.create = function (gl) {
                   console.error("");
                   cb(e);
                 }
-              );;
+              );
             }
             else {
               log(gl.debug, 'gl getting from disk or registering new');
@@ -416,6 +416,17 @@ Greenlock.create = function (gl) {
       gl.sni = gl.sni.create(gl);
     }
     gl.tlsOptions.SNICallback = function (domain, cb) {
+      // format and (lightly) sanitize sni so that users can be naive
+      // and not have to worry about SQL injection or fs discovery
+      domain = (domain||'').toLowerCase();
+      // hostname labels allow a-z, 0-9, -, and are separated by dots
+      // _ is sometimes allowed
+      if (!/^[a-z0-9_\.\-]+$/i.test(domain) || -1 !== domain.indexOf('..')) {
+        log(gl.debug, "invalid sni '" + domain + "'");
+        cb(new Error("invalid SNI"));
+        return;
+      }
+
       try {
         gl.sni.sniCallback(domain, cb);
       } catch(e) {