starred/acme-dns
1
0
Fork 0
mirror of https://github.com/acme-dns/acme-dns.git synced 2026-04-27 04:45:48 +03:00
Code Issues 178 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #43] registration with invalid allowfrom fails open #11

New issue
Closed
opened 2026-03-13 15:21:08 +03:00 by kerem · 3 comments
kerem commented 2026-03-13 15:21:08 +03:00
Owner
Copy link

Originally created by @cpu on GitHub (Feb 28, 2018).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/43

I didn't read the documentation very carefully and thought I could POST /registration with an allowfrom entry for a single host address instead of a CIDR range, e.g.:

{
    "allowfrom": [
        "127.0.0.1"
    ]
}

acme-dns filters this invalid allowfrom in acmedb.Register using cidrslice.ValidEntries. The registration is created successfully with no errors, but the returned allowfrom is empty and so is the field in the database for this user:

{
  "username": "<rand>",
  "password": "<rand>",
  "fulldomain": "<rand>.example.com",
  "subdomain": "<rand>",
  "allowfrom": []
}

The documentation specifically says to use a CIDR range but I think there might be a case to be made for rejecting the registration with an error when the allowfrom contains invalid entries. Since allowfrom is a security control I think acme-dns should be conservative and fail fast when it can't fulfill the request as received.

@joohoi What do you think?

Originally created by @cpu on GitHub (Feb 28, 2018). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/43 I didn't read the documentation very carefully and thought I could POST `/registration` with an `allowfrom` entry for a single host address instead of a CIDR range, e.g.: ``` { "allowfrom": [ "127.0.0.1" ] } ``` `acme-dns` filters this invalid `allowfrom` in `acmedb.Register` using `cidrslice.ValidEntries`. The registration is created successfully with no errors, but the returned `allowfrom` is empty and so is the field in the database for this user: ``` { "username": "<rand>", "password": "<rand>", "fulldomain": "<rand>.example.com", "subdomain": "<rand>", "allowfrom": [] } ``` The documentation specifically says to use a CIDR range but I think there might be a case to be made for rejecting the registration with an error when the `allowfrom` contains invalid entries. Since `allowfrom` is a security control I think `acme-dns` should be conservative and fail fast when it can't fulfill the request as received. @joohoi What do you think?
kerem 2026-03-13 15:21:08 +03:00
kerem commented 2026-03-13 15:21:24 +03:00
Author
Owner
Copy link

@joohoi commented on GitHub (Mar 1, 2018):

I think you are on the right track here, and we should fail early. But from the UX perspective, I think what would be best way to handle this, would be to automatically add /32 bitmask if none is specified but the IP address itself is valid.

<!-- gh-comment-id:369604662 --> @joohoi commented on GitHub (Mar 1, 2018): I think you are on the right track here, and we should fail early. But from the UX perspective, I think what would be best way to handle this, would be to automatically add `/32` bitmask if none is specified but the IP address itself is valid.
kerem commented 2026-03-13 15:21:30 +03:00
Author
Owner
Copy link

@cpu commented on GitHub (Mar 1, 2018):

from the UX perspective, I think what would be best way to handle this, would be to automatically add /32 bitmask if none is specified but the IP address itself is valid.

That sounds like a nice compromise 👍

<!-- gh-comment-id:369605822 --> @cpu commented on GitHub (Mar 1, 2018): > from the UX perspective, I think what would be best way to handle this, would be to automatically add /32 bitmask if none is specified but the IP address itself is valid. That sounds like a nice compromise :+1:
kerem commented 2026-03-13 15:21:35 +03:00
Author
Owner
Copy link

@joohoi commented on GitHub (Feb 5, 2019):

This is now finally fixed. I opted to not to introduce magic I proposed in https://github.com/joohoi/acme-dns/issues/43#issuecomment-369604662 . The only magic is removing [ and ] from the IP addresses as the net.ParseCIDR cannot handle that notation of IPv6 addresses.

<!-- gh-comment-id:460540353 --> @joohoi commented on GitHub (Feb 5, 2019): This is now finally fixed. I opted to not to introduce magic I proposed in https://github.com/joohoi/acme-dns/issues/43#issuecomment-369604662 . The only magic is removing `[` and `]` from the IP addresses as the `net.ParseCIDR` cannot handle that notation of IPv6 addresses.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
fix_dockerhub
dockerhub
readme2.0
goreleaser_action
refactoring
linter_update_config
update_deps_122
dependabot/go_modules/github.com/valyala/fasthttp-1.34.0
deps_bump
update_goreleaser
update_golint
deps_update
update_dockerfile
v2.0.2
v2.0.1
v2.0
v1.1
v1.0
v0.8
v0.7.2
v0.7.1
v0.7
v0.6
v0.5
v0.4
v0.3.2
v0.3.1
v0.3
v0.2
v0.1
Labels
Clear labels   
Documentation

   
Documentation

   
bug

   
enhancement

   
feature request

   
feature request

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
security

   
security

   
testing
No labels
Documentation
Documentation
bug
enhancement
feature request
feature request
help wanted
pull-request
question
security
security
testing
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/acme-dns#11
No description provided.