Fail closed with malformed allowfrom data in register endpoint (#148)

* Prepare readme for release * Fail closed with malformed allowfrom data in register endpoint
2025-07-07 00:39:05 +07:00 · 2019-02-22 16:53:11 +02:00
parent 395cb7a62c
commit af5d2561d2
3 changed files with 58 additions and 4 deletions
--- a/api.go
+++ b/api.go
@ -22,10 +22,11 @@ type RegResponse struct {
 func webRegisterPost(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 	var regStatus int
 	var reg []byte
+	var err error
 	aTXT := ACMETxt{}
 	bdata, _ := ioutil.ReadAll(r.Body)
 	if bdata != nil && len(bdata) > 0 {
-		err := json.Unmarshal(bdata, &aTXT)
+		err = json.Unmarshal(bdata, &aTXT)
 		if err != nil {
 			regStatus = http.StatusBadRequest
 			reg = jsonError("malformed_json_payload")
@ -35,6 +36,18 @@ func webRegisterPost(w http.ResponseWriter, r *http.Request, _ httprouter.Params
 			return
 		}
 	}
+
+	// Fail with malformed CIDR mask in allowfrom
+	err = aTXT.AllowFrom.isValid()
+	if err != nil {
+		regStatus = http.StatusBadRequest
+		reg = jsonError("invalid_allowfrom_cidr")
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(regStatus)
+		w.Write(reg)
+		return
+	}
+
 	// Create new user
 	nu, err := DB.Register(aTXT.AllowFrom)
 	if err != nil {