search

rushmorem / publicsuffix

An implementation of Mozilla's Public Suffix List in Rust
MIT License
96 stars 17 forks source link

`has_known_suffix` always return true #30

Closed Diggsey closed 3 years ago

Diggsey commented 4 years ago

This is a security vulnerability, as programs may rely on this to screen out local domains, eg. "example.svc.local".

I understand that the algorithm described on https://publicsuffix.org/list/ specifies that:

If no rules match, the prevailing rule is "*".

However, this is for a specific use-case: when determining what part of the domain is the public suffix. Using this rule when determining whether the suffix is "known" is a huge security hole, as it essentially treats all domains as "known".

Specifically the "type" should be None, if the wildcard rule is used as a fallback.

bradfier commented 4 years ago

31 contains a possible minimal fix for this behaviour.

rushmorem commented 3 years ago

Fixed by https://github.com/rushmorem/publicsuffix/pull/31