Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incomplete regular expression for hostnames #6976

Closed
Nanmozhi22 opened this issue Apr 30, 2024 · 3 comments
Closed

Incomplete regular expression for hostnames #6976

Nanmozhi22 opened this issue Apr 30, 2024 · 3 comments

Comments

@Nanmozhi22
Copy link

Sanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.

If a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping regular-expression meta-characters such as ..

Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behavior when it accidentally succeeds.
@Nanmozhi22
Copy link
Author

I will work on this issue

@Nanmozhi22
Copy link
Author

Internal PR has been opened and code will be updated here soon

@Nanmozhi22 Nanmozhi22 mentioned this issue May 14, 2024
Closed
@inteon
Copy link
Member

inteon commented May 14, 2024

cmctl was moved to a separate repo.
The issue has been fixed there in cert-manager/cmctl#66.
Thanks for reporting the issue.

@inteon inteon closed this as completed May 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@inteon @Nanmozhi22