acme/autocert: validate SNI value even more
Follow-up to https://golang.org/cl/42497
Change-Id: I638e7ba5e924a74ce5318e4b50fb18082fd1a43f
Reviewed-on: https://go-review.googlesource.com/42499
Reviewed-by: Alex Vaghin <ddos@google.com>
diff --git a/acme/autocert/autocert.go b/acme/autocert/autocert.go
index 12a98a4..a478eff 100644
--- a/acme/autocert/autocert.go
+++ b/acme/autocert/autocert.go
@@ -176,9 +176,11 @@
if name == "" {
return nil, errors.New("acme/autocert: missing server name")
}
-
+ if !strings.Contains(strings.Trim(name, "."), ".") {
+ return nil, errors.New("acme/autocert: server name component count invalid")
+ }
if strings.ContainsAny(name, `/\`) {
- return nil, errors.New("acme/autocert: bogus SNI value")
+ return nil, errors.New("acme/autocert: server name contains invalid character")
}
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
diff --git a/acme/autocert/autocert_test.go b/acme/autocert/autocert_test.go
index 643ab2b..0352e34 100644
--- a/acme/autocert/autocert_test.go
+++ b/acme/autocert/autocert_test.go
@@ -588,8 +588,13 @@
}{
{"foo.com", "cache.Get of foo.com"},
{"foo.com.", "cache.Get of foo.com"},
- {`a\b`, "acme/autocert: bogus SNI value"},
+ {`a\b.com`, "acme/autocert: server name contains invalid character"},
+ {`a/b.com`, "acme/autocert: server name contains invalid character"},
{"", "acme/autocert: missing server name"},
+ {"foo", "acme/autocert: server name component count invalid"},
+ {".foo", "acme/autocert: server name component count invalid"},
+ {"foo.", "acme/autocert: server name component count invalid"},
+ {"fo.o", "cache.Get of fo.o"},
}
for _, tt := range tests {
_, err := m.GetCertificate(&tls.ClientHelloInfo{ServerName: tt.name})
