From 95a6b61cdc630dff91b9e9368914c04bd2a6a146 Mon Sep 17 00:00:00 2001 From: alexzorin Date: Wed, 9 Sep 2020 07:14:54 +1000 Subject: [PATCH] nginx: fix server_name case-sensitivity in parser (#8263) This commit fixes an issue with the nginx parser where it would perform case-sensitive matching against server_name. This would cause the authenticator and installer to ignore existing virtualhosts containing uppercase characters, resulting in duplicate virtualhosts and broken configurations. "Exact" and "wildcard" matching is now case-insensitive. Regex-based matching will continue to respect the case mode of the pattern. Fixes #6776. --- certbot-nginx/certbot_nginx/_internal/parser.py | 9 +++++---- certbot-nginx/tests/parser_test.py | 8 ++++++-- certbot/CHANGELOG.md | 1 + 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/certbot-nginx/certbot_nginx/_internal/parser.py b/certbot-nginx/certbot_nginx/_internal/parser.py index bb0bb7d6f..641ffb020 100644 --- a/certbot-nginx/certbot_nginx/_internal/parser.py +++ b/certbot-nginx/certbot_nginx/_internal/parser.py @@ -496,7 +496,8 @@ def get_best_match(target_name, names): def _exact_match(target_name, name): - return name in (target_name, '.' + target_name) + target_lower = target_name.lower() + return name.lower() in (target_lower, '.' + target_lower) def _wildcard_match(target_name, name, start): @@ -517,11 +518,11 @@ def _wildcard_match(target_name, name, start): if first not in ('*', ''): return False - target_name = '.'.join(parts) - name = '.'.join(match_parts) + target_name_lower = '.'.join(parts).lower() + name_lower = '.'.join(match_parts).lower() # Ex: www.eff.org matches *.eff.org, eff.org does not match *.eff.org - return target_name.endswith('.' + name) + return target_name_lower.endswith('.' + name_lower) def _regex_match(target_name, name): diff --git a/certbot-nginx/tests/parser_test.py b/certbot-nginx/tests/parser_test.py index 21dd1043d..620d1b6de 100644 --- a/certbot-nginx/tests/parser_test.py +++ b/certbot-nginx/tests/parser_test.py @@ -340,7 +340,9 @@ class NginxParserTest(util.NginxTest): {'*.www.eff.org', 'www.*'}, {'*.org'}, set(), - {'example.com'}] + {'example.com'}, + {'www.Eff.org'}, + {'.efF.org'}] winners = [('exact', 'www.eff.org'), (None, None), ('exact', '.www.eff.org'), @@ -353,7 +355,9 @@ class NginxParserTest(util.NginxTest): ('wildcard_end', 'www.*'), ('wildcard_start', '*.org'), (None, None), - (None, None)] + (None, None), + ('exact', 'www.Eff.org'), + ('wildcard_start', '.efF.org')] for i, winner in enumerate(winners): self.assertEqual(winner, diff --git a/certbot/CHANGELOG.md b/certbot/CHANGELOG.md index f212b4f9d..4d08109e1 100644 --- a/certbot/CHANGELOG.md +++ b/certbot/CHANGELOG.md @@ -36,6 +36,7 @@ More details about these changes can be found on our GitHub repo. * The `acme` library can now tell the ACME server to clear contact information by passing an empty `tuple` to the `contact` field of a `Registration` message. * Fixed the `*** stack smashing detected ***` error in the Certbot snap on some systems. +* Fixed `server_name` case-sensitivity in the nginx plugin. More details about these changes can be found on our GitHub repo.