Skip to content

Commit da42d9b

Browse files
author
Till Brehm
committed
Additional check for #4910 Do not permit to add subdomains of domain acme.invalid
1 parent fb67a58 commit da42d9b

File tree

2 files changed

+40
-0
lines changed

2 files changed

+40
-0
lines changed

server/plugins-available/apache2_plugin.inc.php

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -394,6 +394,26 @@ function ssl($event_name, $data) {
394394
$app->dbmaster->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ?", $data['new']['domain']);
395395
}
396396
}
397+
398+
//* and check that SSL cert does not contain subdomain of domain acme.invalid
399+
if($data["new"]["ssl_action"] == 'save') {
400+
$tmp = array();
401+
$crt_data = '';
402+
exec('openssl x509 -noout -text -in '.escapeshellarg($crt_file),$tmp);
403+
$crt_data = implode("\n",$tmp);
404+
if(stristr($crt_data,'.acme.invalid')) {
405+
$data["new"]["ssl_action"] = '';
406+
407+
$app->log('SSL Certificate not saved. The SSL cert contains domain acme.invalid.', LOGLEVEL_WARN);
408+
$app->dbmaster->datalogError('SSL Certificate not saved. The SSL cert contains domain acme.invalid.');
409+
410+
/* Update the DB of the (local) Server */
411+
$app->db->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ?", $data['new']['domain']);
412+
413+
/* Update also the master-DB of the Server-Farm */
414+
$app->dbmaster->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ?", $data['new']['domain']);
415+
}
416+
}
397417

398418
//* Save a SSL certificate to disk
399419
if($data["new"]["ssl_action"] == 'save') {

server/plugins-available/nginx_plugin.inc.php

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -235,6 +235,26 @@ function ssl($event_name, $data) {
235235
$app->dbmaster->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ?", $data['new']['domain']);
236236
}
237237
}
238+
239+
//* and check that SSL cert does not contain subdomain of domain acme.invalid
240+
if($data["new"]["ssl_action"] == 'save') {
241+
$tmp = array();
242+
$crt_data = '';
243+
exec('openssl x509 -noout -text -in '.escapeshellarg($crt_file),$tmp);
244+
$crt_data = implode("\n",$tmp);
245+
if(stristr($crt_data,'.acme.invalid')) {
246+
$data["new"]["ssl_action"] = '';
247+
248+
$app->log('SSL Certificate not saved. The SSL cert contains domain acme.invalid.', LOGLEVEL_WARN);
249+
$app->dbmaster->datalogError('SSL Certificate not saved. The SSL cert contains domain acme.invalid.');
250+
251+
/* Update the DB of the (local) Server */
252+
$app->db->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ?", $data['new']['domain']);
253+
254+
/* Update also the master-DB of the Server-Farm */
255+
$app->dbmaster->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ?", $data['new']['domain']);
256+
}
257+
}
238258

239259
//* Save a SSL certificate to disk
240260
if($data["new"]["ssl_action"] == 'save') {

0 commit comments

Comments
 (0)