prevent malicious tokens from being anything but urlsafe base64

diafygi · Dec 4, 2015 · 1775b70 · 1775b70 · jomo · Dec 4, 2015
1 parent a866b25
commit 1775b70
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/acme_tiny.py b/acme_tiny.py
@@ -110,6 +110,7 @@ def _send_signed_request(url, payload):
 
         # make the challenge file
         challenge = [c for c in json.loads(result)['challenges'] if c['type'] == "http-01"][0]
+        challenge['token'] = re.sub("[^A-Za-z0-9_\-]", "_", challenge['token'])
         keyauthorization = "{0}.{1}".format(challenge['token'], thumbprint)
         wellknown_path = os.path.join(acme_dir, challenge['token'])
         wellknown_file = open(wellknown_path, "w")