letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Reject mailto URLs with # or ending in ? (#6241) 

Fixes #6231
This commit is contained in:
Jacob Hoffman-Andrews 2022-07-20 16:32:44 -07:00 committed by GitHub
parent 3b09571e70
commit 7dd3211f25
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ra/ra.go
View File

@ -468,8 +468,11 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
if parsed.Scheme != "mailto" {
return berrors.InvalidEmailError("contact method %q is not supported", parsed.Scheme)
}
if parsed.RawQuery != "" {
return berrors.InvalidEmailError("contact email [%q] contains hfields", contact)
if parsed.RawQuery != "" || contact[len(contact)-1] == '?' {
return berrors.InvalidEmailError("contact email %q contains a question mark", contact)
}
if parsed.Fragment != "" {
return berrors.InvalidEmailError("contact email %q contains a '#'", contact)
}
if !core.IsASCII(contact) {
return berrors.InvalidEmailError(

6
ra/ra_test.go
View File

@ -416,6 +416,12 @@ func TestValidateContacts(t *testing.T) {
err = ra.validateContacts(context.Background(), []string{"mailto:admin@a.com?no-reminder-emails"})
test.AssertError(t, err, "No hfields in email")
err = ra.validateContacts(context.Background(), []string{"mailto:example@a.com?"})
test.AssertError(t, err, "No hfields in email")
err = ra.validateContacts(context.Background(), []string{"mailto:example@a.com#optional"})
test.AssertError(t, err, "No fragment")
// The registrations.contact field is VARCHAR(191). 175 'a' characters plus
// the prefix "mailto:" and the suffix "@a.com" makes exactly 191 bytes of
// encoded JSON. The correct size to hit our maximum DB field length.