From c8dbbf005d2014c82792038fa3e2f30aca536e0e Mon Sep 17 00:00:00 2001
From: Jacob Hoffman-Andrews <github@hoffman-andrews.com>
Date: Tue, 2 Jul 2019 10:42:55 -0700
Subject: [PATCH] Handle unprintable characters in HTTP responses. (#4312)

Fixes #4244.
---
 va/http.go      |  2 +-
 va/http_test.go | 23 +++++++++++++++++++++++
 va/va_test.go   |  2 +-
 3 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/va/http.go b/va/http.go
index 1b8906e2a..4b2783376 100644
--- a/va/http.go
+++ b/va/http.go
@@ -634,7 +634,7 @@ func (va *ValidationAuthorityImpl) validateHTTP01(ctx context.Context, ident ide
 	payload := strings.TrimRight(string(body), whitespaceCutset)
 
 	if payload != challenge.ProvidedKeyAuthorization {
-		problem := probs.Unauthorized("The key authorization file from the server did not match this challenge [%v] != [%v]",
+		problem := probs.Unauthorized("The key authorization file from the server did not match this challenge %q != %q",
 			challenge.ProvidedKeyAuthorization, payload)
 		va.log.Infof("%s for %s", problem.Detail, ident)
 		return validationRecords, problem
diff --git a/va/http_test.go b/va/http_test.go
index 1cee0d37a..79b954efd 100644
--- a/va/http_test.go
+++ b/va/http_test.go
@@ -1002,6 +1002,29 @@ func TestHTTPBadPort(t *testing.T) {
 	}
 }
 
+func TestHTTPKeyAuthorizationFileMismatch(t *testing.T) {
+	chall := core.HTTPChallenge01("")
+	setChallengeToken(&chall, expectedToken)
+
+	m := http.NewServeMux()
+	hs := httptest.NewUnstartedServer(m)
+	m.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		w.Write([]byte("\xef\xffAABBCC"))
+	})
+	hs.Start()
+
+	va, _ := setup(hs, 0, "", nil)
+	_, prob := va.validateHTTP01(ctx, dnsi("localhost.com"), chall)
+
+	if prob == nil {
+		t.Fatalf("Expected validation to fail when file mismatched.")
+	}
+	expected := `The key authorization file from the server did not match this challenge "LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0.9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI" != "\xef\xffAABBCC"`
+	if prob.Detail != expected {
+		t.Errorf("validation failed with %s, expected %s", prob.Detail, expected)
+	}
+}
+
 func TestHTTP(t *testing.T) {
 	chall := core.HTTPChallenge01("")
 	setChallengeToken(&chall, expectedToken)
diff --git a/va/va_test.go b/va/va_test.go
index 0bd35a10b..80fd46e5c 100644
--- a/va/va_test.go
+++ b/va/va_test.go
@@ -325,7 +325,7 @@ func TestMultiVA(t *testing.T) {
 	}
 
 	unauthorized := probs.Unauthorized(
-		"The key authorization file from the server did not match this challenge [%s] != [???]",
+		`The key authorization file from the server did not match this challenge %q != "???"`,
 		expectedKeyAuthorization)
 
 	internalErr := probs.ServerInternal("Remote PerformValidation RPC failed")