Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WFE: Add some basic illegal domain name handling. #122

Merged
merged 1 commit into from
Apr 26, 2018
Merged

WFE: Add some basic illegal domain name handling. #122

merged 1 commit into from
Apr 26, 2018

Conversation

cpu
Copy link
Contributor

@cpu cpu commented Apr 26, 2018

This PR ports some of Boulder's more complex policy.WillingToIssue logic. Prior to this commit Pebble would create new order objects with clearly illegal DNS identifiers. This commit improves this situation by
rejecting the most egregious illegal domains.

Now rejected are:

  1. empty domains
  2. too long domains
  3. domains with illegal characters
  4. domains that are an IP address
  5. domains that end in a '.'

Still left unaddressed are:

  1. fine grained evaluation of individual DNS labels (length, content, etc)
  2. checking for a known ICANN suffix with the public-suffix list
  3. any kind of hostname policy blocklist checking
  4. any kind of IDN or encoding checking

I think this strikes a good balance of catching low hanging fruit and not overly complicating Pebble.

Along the way I deleted the account argument to verifyOrder. It was not being referenced except to check it wasn't nil.

Resolves #121

WFE: Add some basic illegal domain name handling.
f07cf79 
This commit ports some of Boulder's more complex `policy.WillingToIssue`
logic. Prior to this commit Pebble would create new order objects with
clearly illegal DNS identifiers. This commit improves this situation by
rejecting the most egregious illegal domains.

Now rejected are:
1) empty domains
2) too long domains
3) domains with illegal characters
4) domains that are an IP address
5) domains that end in a '.'

Still left unaddressed are:
1) fine grained evaluation of individual DNS labels (length, content,
   etc)
2) checking for a known ICANN suffix with the public-suffix list
3) any kind of hostname policy blocklist checking
4) any kind of IDN or encoding checking

I think this strikes a good balance of catching low hanging fruit and
not overly complicating Pebble.

Along the way I deleted the account argument to `verifyOrder`. It was
not being referenced except to check it wasn't nil.
@cpu cpu self-assigned this Apr 26, 2018
@jsha jsha merged commit 69ac484 into master Apr 26, 2018
@jsha jsha deleted the cpu-more-ident-err-checking branch April 26, 2018 22:02
This was referenced May 3, 2018
Closed
Merged
cpu pushed a commit that referenced this pull request May 3, 2018
@rmbolger @cpu
Allow "*" as a DNS Character (#127)
c5ebb21 
This is a quick fix for the but introduced in PR #122. `*` is not technically a valid DNS character but this commit allows Pebble to treat it as such for a short-term fix to wildcard issuance that was broken in #126.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsha jsha jsha approved these changes

Assignees

@cpu cpu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

WFE: Improve input error handling for newOrder identifiers
2 participants
@cpu @jsha