protect against an SRV field starting with a hyphen

The original RFC 2782 was fairly lax in restraining what an SRV Service Name may look like, but RFC 6335 is explicitly "MUST NOT". So rather than worrying about warnings, and options to ignore warnings when someone's doing something strange, let's just make it an error to supply a service name which starts with a hyphen. This should be enough to protect against the most likely mis-invocation, where someone doesn't notice that `-srv` takes a string parameter and follows with another option. It's not fool-proof, but it's a 90% solution which buys immediate wins today without being a dead-end which might preclude any better solution in the future.
PennockTech · Oct 9, 2023 · e554c4f · e554c4f
1 parent 0365763
commit e554c4f
Showing 1 changed file with 13 additions and 3 deletions.
diff --git a/main.go b/main.go
@@ -119,9 +119,6 @@ func main() {
 		exitServerWarnings = 1
 		errOutStream = os.Stdout
 	}
-	if opts.submissionsLookup {
-		opts.tlsOnConnect = true
-	}
 
 	if opts.showVersion {
 		version()
@@ -131,9 +128,22 @@ func main() {
 		}
 		return
 	}
+
 	if checkFlagsForConflicting() {
 		os.Exit(exitBadFlags)
 	}
+	if opts.submissionsLookup {
+		opts.tlsOnConnect = true
+	}
+	if opts.srvTCPLookup != "" && opts.srvTCPLookup[0] == '-' {
+		// While RFC 2782 doesn't prohibit a leading hyphen, RFC 6335 does.
+		// RFC 6335 § 5.1, "MUST NOT begin or end with a hyphen"
+		// We don't do a full syntax check here, but this should be enough to handle the
+		// most common case of someone missing that `-srv` takes a parameter.
+		fmt.Fprintf(errOutStream, "%s: SRV service names MUST NOT start with a hyphen, %q is invalid\n", os.Args[0], opts.srvTCPLookup)
+		os.Exit(exitBadFlags)
+	}
+
 	if !opts.noCertNames {
 		initCertNames()
 	}