From 3f82fc8f0c8e3382f7134bafca19bf79af0cfe29 Mon Sep 17 00:00:00 2001
From: Matej Baco <matejbacocom@gmail.com>
Date: Fri, 11 Feb 2022 11:37:34 +0100
Subject: [PATCH] Added ACME validator

---
 app/controllers/general.php | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/app/controllers/general.php b/app/controllers/general.php
index 30eb1ff8d6..25d5f9708d 100644
--- a/app/controllers/general.php
+++ b/app/controllers/general.php
@@ -5,6 +5,7 @@ require_once __DIR__.'/../init.php';
 use Utopia\App;
 use Utopia\Swoole\Request;
 use Appwrite\Utopia\Response;
+use Utopia\Validator\Text;
 use Utopia\View;
 use Utopia\Exception;
 use Utopia\Config\Config;
@@ -440,8 +441,25 @@ App::get('/.well-known/acme-challenge')
     ->inject('request')
     ->inject('response')
     ->action(function ($request, $response) {
+        $uriChunks = \explode('/', $request->getURI());
+        $token = $uriChunks[\count($uriChunks) - 1];
+
+        $validator = new Text(100, [
+            ...Text::NUMBERS,
+            ...Text::ALPHABET_LOWER,
+            ...Text::ALPHABET_UPPER,
+            '-',
+            '_'
+        ]);
+
+        if (!$validator->isValid($token) || \count($uriChunks) !== 4) {
+            throw new Exception('Invalid challenge token.', 400);
+        }
+
+        $filePath = '/.well-known/acme-challenge' . $token;
+
         $base = \realpath(APP_STORAGE_CERTIFICATES);
-        $path = \str_replace('/.well-known/acme-challenge/', '', $request->getURI());
+        $path = \str_replace('/.well-known/acme-challenge/', '', $filePath);
         $absolute = \realpath($base.'/.well-known/acme-challenge/'.$path);
 
         if (!$base) {