Only allow base64url characters in acme-challenge token

mgkeeley · web-flow · commit bf20bd86b308 · 2021-01-10T20:00:26.000+13:00
diff --git a/bin/v-add-letsencrypt-domain b/bin/v-add-letsencrypt-domain
@@ -281,7 +281,7 @@ for auth in $authz; do
             if [ "$WEB_SYSTEM" = 'nginx' ] || [ "$PROXY_SYSTEM" = 'nginx' ]; then
                 conf="$HOMEDIR/$user/conf/web/$domain/nginx.conf_letsencrypt"
                 sconf="$HOMEDIR/$user/conf/web/$domain/nginx.ssl.conf_letsencrypt"
-                echo 'location ~ "^/\.well-known/acme-challenge/(.*)$" {' \
+                echo 'location ~ "^/\.well-known/acme-challenge/([-_A-Za-z0-9]+)$" {' \
                     > $conf
                 echo '    default_type text/plain;' >> $conf
                 echo '    return 200 "$1.'$THUMB'";' >> $conf
