Infra/lemur
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Reworked sensitive domain name and restriction logic (#878)

Browse Source 
* This is a fix for a potential security issue; the old code had edge
  cases with unexpected behavior.
* LEMUR_RESTRICTED_DOMAINS is no more, instead LEMUR_WHITELISTED_DOMAINS
  is a list of *allowed* domain name patterns. Per discussion in PR #600
* Domain restrictions are now checked everywhere: in domain name-like
  CN (common name) values and SAN DNSNames, including raw CSR requests.
* Common name values that contain a space are exempt, since they cannot
  be valid domain names.
This commit is contained in:
Marti Raudsepp
2017-08-17 05:24:49 +03:00
committed by kevgliss
parent 466df367e6
commit 7762d6ed52
10 changed files with 197 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lemur/certificates/schemas.py
View File

@ -55,7 +55,7 @@ class CertificateCreationSchema(CertificateSchema):
class CertificateInputSchema(CertificateCreationSchema):
name = fields.String()
common_name = fields.String(required=True, validate=validators.sensitive_domain)
common_name = fields.String(required=True, validate=validators.common_name)
authority = fields.Nested(AssociatedAuthoritySchema, required=True)
validity_start = ArrowDateTime()