2 files changed, 25 insertions, 0 deletions

diff --git a/netlib/certutils.py b/netlib/certutils.py
index 87d9d5d8..3fd57b2b 100644
--- a/netlib/certutils.py
+++ b/netlib/certutils.py
@@ -136,6 +136,18 @@ class CertStore:
             self.remove = True
             self.certdir = tempfile.mkdtemp(prefix="certstore")
 
+    def check_domain(self, commonname):
+        try:
+            commonname.decode("idna")
+            commonname.decode("ascii")
+        except:
+            return False
+        if ".." in commonname:
+            return False
+        if "/" in commonname:
+            return False
+        return True
+
     def get_cert(self, commonname, sans, cacert=False):
         """
             Returns the path to a certificate.
@@ -147,7 +159,11 @@ class CertStore:
 
             cacert: An optional path to a CA certificate. If specified, the
             cert is created if it does not exist, else return None.
+
+            Return None if the certificate could not be found or generated.
         """
+        if not self.check_domain(commonname):
+            return None
         certpath = os.path.join(self.certdir, commonname + ".pem")
         if os.path.exists(certpath):
             return certpath
diff --git a/test/test_certutils.py b/test/test_certutils.py
index 9b917dc6..582fb9c4 100644
--- a/test/test_certutils.py
+++ b/test/test_certutils.py
@@ -35,6 +35,15 @@ class TestCertStore:
             assert c.get_cert("foo.com", [], ca)
             c.cleanup()
 
+    def test_check_domain(self):
+        c = certutils.CertStore()
+        assert c.check_domain("foo")
+        assert c.check_domain("\x01foo")
+        assert not c.check_domain("\xfefoo")
+        assert not c.check_domain("xn--\0")
+        assert not c.check_domain("foo..foo")
+        assert not c.check_domain("foo/foo")
+
 
 class TestDummyCert:
     def test_with_ca(self):