| author | Alberto Bertogli
<albertito@blitiri.com.ar> 2019-08-31 00:03:24 UTC |
| committer | Alberto Bertogli
<albertito@blitiri.com.ar> 2019-08-31 00:14:56 UTC |
| parent | 0f487e5fb5d03c46cf0526947eb7163d1975fbbc |
| internal/sts/sts.go | +5 | -1 |
| internal/sts/sts_test.go | +4 | -0 |
diff --git a/internal/sts/sts.go b/internal/sts/sts.go index 7d76818..94ac925 100644 --- a/internal/sts/sts.go +++ b/internal/sts/sts.go @@ -125,7 +125,11 @@ func (p *Policy) Check() error { if p.Version != "STSv1" { return ErrUnknownVersion } - if p.MaxAge <= 0 { + + // A 0 max age is invalid (could also represent an Atoi error), and so is + // one greater than 31557600 (1 year), as per + // https://tools.ietf.org/html/rfc8461#section-3.2. + if p.MaxAge <= 0 || p.MaxAge > 31557600*time.Second { return ErrInvalidMaxAge } diff --git a/internal/sts/sts_test.go b/internal/sts/sts_test.go index f44fddf..80e24ba 100644 --- a/internal/sts/sts_test.go +++ b/internal/sts/sts_test.go @@ -98,6 +98,8 @@ func TestCheckPolicy(t *testing.T) { MXs: []string{"mx1"}}, {Version: "STSv1", Mode: "none", MaxAge: 1 * time.Hour, MXs: []string{"mx1"}}, + {Version: "STSv1", Mode: "none", MaxAge: 31557600 * time.Second, + MXs: []string{"mx1"}}, } for i, p := range validPs { if err := p.Check(); err != nil { @@ -111,6 +113,8 @@ func TestCheckPolicy(t *testing.T) { }{ {Policy{Version: "STSv2"}, ErrUnknownVersion}, {Policy{Version: "STSv1"}, ErrInvalidMaxAge}, + {Policy{Version: "STSv1", MaxAge: 31557601 * time.Second}, + ErrInvalidMaxAge}, {Policy{Version: "STSv1", MaxAge: 1, Mode: "blah"}, ErrInvalidMode}, {Policy{Version: "STSv1", MaxAge: 1, Mode: "enforce"}, ErrInvalidMX}, {Policy{Version: "STSv1", MaxAge: 1, Mode: "enforce", MXs: []string{}},