From e4acace8ea741af798523d6ff1d148d129f23582 Mon Sep 17 00:00:00 2001
From: Aldo Cortesi <aldo@nullcube.com>
Date: Sun, 6 Jan 2013 01:34:39 +1300
Subject: Sanity-check certstore common names.

---
 netlib/certutils.py | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'netlib/certutils.py')

diff --git a/netlib/certutils.py b/netlib/certutils.py
index 87d9d5d8..3fd57b2b 100644
--- a/netlib/certutils.py
+++ b/netlib/certutils.py
@@ -136,6 +136,18 @@ class CertStore:
             self.remove = True
             self.certdir = tempfile.mkdtemp(prefix="certstore")
 
+    def check_domain(self, commonname):
+        try:
+            commonname.decode("idna")
+            commonname.decode("ascii")
+        except:
+            return False
+        if ".." in commonname:
+            return False
+        if "/" in commonname:
+            return False
+        return True
+
     def get_cert(self, commonname, sans, cacert=False):
         """
             Returns the path to a certificate.
@@ -147,7 +159,11 @@ class CertStore:
 
             cacert: An optional path to a CA certificate. If specified, the
             cert is created if it does not exist, else return None.
+
+            Return None if the certificate could not be found or generated.
         """
+        if not self.check_domain(commonname):
+            return None
         certpath = os.path.join(self.certdir, commonname + ".pem")
         if os.path.exists(certpath):
             return certpath
-- 
cgit v1.2.3