letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

VA: Fix IP redirect bug and bad protocol scheme bug.

This commit is contained in:
Daniel 2018-11-29 15:43:55 -05:00
parent eb8d85260b
commit afad22b812
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
va/va.go
View File

@ -448,6 +448,12 @@ func (va *ValidationAuthorityImpl) fetchHTTP(ctx context.Context, identifier cor
req.Header["User-Agent"] = []string{va.userAgent} req.Header["User-Agent"] = []string{va.userAgent}
} }
if req.URL.Scheme != "http" && req.URL.Scheme != "https" {
return berrors.ConnectionFailureError(
"Invalid protocol scheme in redirect target. "+
`Only "http" and "https" protocol schemes are supported, not %q`, req.URL.Scheme)
}
urlHost = req.URL.Host urlHost = req.URL.Host
reqHost := req.URL.Host reqHost := req.URL.Host
var reqPort int var reqPort int
@ -468,6 +474,13 @@ func (va *ValidationAuthorityImpl) fetchHTTP(ctx context.Context, identifier cor
reqPort = va.httpPort reqPort = va.httpPort
} }
// We do not want to redirect to any bare IP addresses. Only domain names
if net.ParseIP(reqHost) != nil {
return berrors.ConnectionFailureError(
"Invalid host in redirect target %q. "+
"Only domain names are supported, not IP addresses", reqHost)
}
// Since we've used dialer.DialContext we need to drain the address info // Since we've used dialer.DialContext we need to drain the address info
// channel and build a validation record using it and baseRecord so that // channel and build a validation record using it and baseRecord so that
// we have a record for the host that sent the redirect. // we have a record for the host that sent the redirect.