Validate token from ACME server

Validate that the token includes only characters from the base64url alphabet as specified by RCF8555. Fixes #64
ndilieto · Feb 15, 2023 · fe91f46 · fe91f46
1 parent 5afdaf0
commit fe91f46
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/uacme.c b/uacme.c
@@ -865,6 +865,11 @@ bool authorize(acme_t *a)
                     warnx("failed to parse challenge");
                     goto out;
                 }
+                for (const char *t = token; *t; t++)
+                    if (!isalnum(*t) && *t != '-' && *t != '_') {
+                        warnx("failed to validate token");
+                        goto out;
+                    }
                 if (strcmp(type, "dns-01") == 0 ||
                         strcmp(type, "tls-alpn-01") == 0)
                     key_auth = sha2_base64url(256, "%s.%s", token, thumbprint);