From 618dc27fbf532c1d742a472bfd5b82d824efdf50 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Richard=20K=C3=B6rber?= <github@shredzone.org>
Date: Sun, 13 Dec 2015 14:24:43 +0100
Subject: [PATCH] Validate nonce header

---
 .../org/shredzone/acme4j/connector/Connection.java     | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/acme4j-client/src/main/java/org/shredzone/acme4j/connector/Connection.java b/acme4j-client/src/main/java/org/shredzone/acme4j/connector/Connection.java
index 3ec21825..5eec9be6 100644
--- a/acme4j-client/src/main/java/org/shredzone/acme4j/connector/Connection.java
+++ b/acme4j-client/src/main/java/org/shredzone/acme4j/connector/Connection.java
@@ -27,6 +27,7 @@ import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.EnumMap;
 import java.util.Map;
+import java.util.regex.Pattern;
 
 import org.jose4j.base64url.Base64Url;
 import org.jose4j.json.JsonUtil;
@@ -51,6 +52,8 @@ public class Connection implements AutoCloseable {
 
     private static final Logger LOG = LoggerFactory.getLogger(Connection.class);
 
+    private static final Pattern BASE64URL_PATTERN = Pattern.compile("[0-9A-Za-z_-]+");
+
     private final AcmeClientProvider provider;
     protected HttpURLConnection conn;
 
@@ -77,7 +80,6 @@ public class Connection implements AutoCloseable {
             LOG.debug("Initial replay nonce from {}", uri);
             HttpURLConnection localConn = provider.openConnection(uri);
             localConn.setRequestMethod("HEAD");
-            localConn.setRequestProperty("Accept-Charset", "utf-8");
             localConn.connect();
 
             session.setNonce(getNonceFromHeader(localConn));
@@ -301,10 +303,14 @@ public class Connection implements AutoCloseable {
      */
     protected byte[] getNonceFromHeader(HttpURLConnection localConn) throws AcmeException {
         String nonceHeader = localConn.getHeaderField("Replay-Nonce");
-        if (nonceHeader == null) {
+        if (nonceHeader == null || nonceHeader.trim().isEmpty()) {
             throw new AcmeException("No replay nonce");
         }
 
+        if (!BASE64URL_PATTERN.matcher(nonceHeader).matches()) {
+            throw new AcmeException("Invalid replay nonce: " + nonceHeader);
+        }
+
         LOG.debug("Replay Nonce: {}", nonceHeader);
 
         return Base64Url.decode(nonceHeader);