You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I didn't read the documentation very carefully and thought I could POST /registration with an allowfrom entry for a single host address instead of a CIDR range, e.g.:
{
"allowfrom": [
"127.0.0.1"
]
}
acme-dns filters this invalid allowfrom in acmedb.Register using cidrslice.ValidEntries. The registration is created successfully with no errors, but the returned allowfrom is empty and so is the field in the database for this user:
The documentation specifically says to use a CIDR range but I think there might be a case to be made for rejecting the registration with an error when the allowfrom contains invalid entries. Since allowfrom is a security control I think acme-dns should be conservative and fail fast when it can't fulfill the request as received.
I think you are on the right track here, and we should fail early. But from the UX perspective, I think what would be best way to handle this, would be to automatically add /32 bitmask if none is specified but the IP address itself is valid.
from the UX perspective, I think what would be best way to handle this, would be to automatically add /32 bitmask if none is specified but the IP address itself is valid.
This is now finally fixed. I opted to not to introduce magic I proposed in #43 (comment) . The only magic is removing [ and ] from the IP addresses as the net.ParseCIDR cannot handle that notation of IPv6 addresses.
I didn't read the documentation very carefully and thought I could POST
/registration
with anallowfrom
entry for a single host address instead of a CIDR range, e.g.:acme-dns
filters this invalidallowfrom
inacmedb.Register
usingcidrslice.ValidEntries
. The registration is created successfully with no errors, but the returnedallowfrom
is empty and so is the field in the database for this user:The documentation specifically says to use a CIDR range but I think there might be a case to be made for rejecting the registration with an error when the
allowfrom
contains invalid entries. Sinceallowfrom
is a security control I thinkacme-dns
should be conservative and fail fast when it can't fulfill the request as received.@joohoi What do you think?
The text was updated successfully, but these errors were encountered: