Fix well-known lookups with the federation certificate whitelist (#5997)

author: Amber Brown <hawkowl@atleastfornow.net> 2019-09-14 04:58:38 +1000
committer: GitHub <noreply@github.com> 2019-09-14 04:58:38 +1000
commit: 850dcfd2d3a1d689042fb38c8a16b652244068c2 (patch)
tree: 933e1775746bb6d40320bdc664bc85547c6bb2e6 /synapse/config
parent: Add developer docs for using SAML without a server (#6032) (diff)
download: synapse-850dcfd2d3a1d689042fb38c8a16b652244068c2.tar.xz
1 files changed, 8 insertions, 1 deletions
diff --git a/synapse/config/tls.py b/synapse/config/tls.py
index c0148aa95c..fc47ba3e9a 100644
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@@ -110,8 +110,15 @@ class TlsConfig(Config):
         # Support globs (*) in whitelist values
         self.federation_certificate_verification_whitelist = []
         for entry in fed_whitelist_entries:
+            try:
+                entry_regex = glob_to_regex(entry.encode("ascii").decode("ascii"))
+            except UnicodeEncodeError:
+                raise ConfigError(
+                    "IDNA domain names are not allowed in the "
+                    "federation_certificate_verification_whitelist: %s" % (entry,)
+                )
+
             # Convert globs to regex
-            entry_regex = glob_to_regex(entry)
             self.federation_certificate_verification_whitelist.append(entry_regex)
 
         # List of custom certificate authorities for federation traffic validation
author	Amber Brown <hawkowl@atleastfornow.net>	2019-09-14 04:58:38 +1000
committer	GitHub <noreply@github.com>	2019-09-14 04:58:38 +1000
commit	850dcfd2d3a1d689042fb38c8a16b652244068c2 (patch)
tree	933e1775746bb6d40320bdc664bc85547c6bb2e6 /synapse/config
parent	Add developer docs for using SAML without a server (#6032) (diff)
download	synapse-850dcfd2d3a1d689042fb38c8a16b652244068c2.tar.xz