Emergency fix for ReDoS vulnerability

[zetlen]

VALID_DOMAIN regex had exponential-time vulnerability on certain strings.

Switched from vulnerable VALID_DOMAIN regex to is-valid-domain lib, which uses a known list of TLDs.

[mcalthrop-lego]

Hi @zetlen

Could you elaborate on the reason for disallowing subdomains?

This used to work well in our setup, and now does not, as we require certificate generation for subdomains.

From what I can see, this should not affect the ReDoS issue the original PR mitigates.

[NewFuture]

@zetlen @davewasmer it breaks subdomain 😮

[drmcclelland]

I think this change also also broke "localhost"...

[mcalthrop-lego]

@zetlen Any thoughts on this?