Fix 1592: Allow insecure CA URL on internal networks (#1607)

* Strip brackets in IsInternal if no port, allow loopback for CA URLs * Fix a mistake * Improve the trim * Fix comment
2025-01-23 09:06:29 +01:00 · 2017-04-26 14:00:49 -04:00 · 2017-04-26 14:00:49 -04:00 · 1bae36ef29
commit 1bae36ef29
parent 52fd4f89bf
2 changed files with 6 additions and 1 deletions
--- a/caddy.go
+++ b/caddy.go
@ -777,7 +777,10 @@ func IsInternal(addr string) bool {

 	host, _, err := net.SplitHostPort(addr)
 	if err != nil {
-		host = addr // happens if the addr is just a hostname
+		host = addr // happens if the addr is just a hostname, missing port
+		// if we encounter an error, the brackets need to be stripped
+		// because SplitHostPort didn't do it for us
+		host = strings.Trim(host, "[]")
 	}
 	ip := net.ParseIP(host)
 	if ip == nil {
--- a/caddy_test.go
+++ b/caddy_test.go
@ -94,6 +94,8 @@ func TestIsInternal(t *testing.T) {
 		{"fbff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false},
 		{"fc00::", true},
 		{"fc00::1", true},
+		{"[fc00::1]", true},
+		{"[fc00::1]:8888", true},
 		{"fdff:ffff:ffff:ffff:ffff:ffff:ffff:fffe", true},
 		{"fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", true},
 		{"fe00::", false},