Skip to content

GitLab Next

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
GitLab FOSS
GitLab FOSS
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 0
    • Issues 0
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
    • Iterations
  • Merge Requests 0
    • Merge Requests 0
  • Requirements
    • Requirements
    • List
  • Security & Compliance
    • Security & Compliance
    • Dependency List
    • License Compliance
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Code Review
    • Insights
    • Issue
    • Repository
    • Value Stream
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
  • GitLab.org
  • GitLab FOSSGitLab FOSS
  • Issues
  • #57068

Closed
Open
Opened Jan 30, 2019 by Dylan Grafmyre@dylan.grafmyre

gitlab pages: dots in subdomain break tls, need to sanitize periods (.) to hypens (-) in pages subdomain

Summary

when a namespace contains a period within it, the sudomain portion of the gitlab-pages domain gets a period injected into it, which conflicts with ssl/tls certificate wildcard machinery

Steps to reproduce

enable tls on gitlab pages, example "pages.example.org" create a user with a dot in the username, example "foo.bar" setup an example gitlab-pages build build the gitlab pages (gitlab runner required) visit the gitlab pages url with tls "foo.bar.pages.example.org" note that tls certificate issued for ".pages.example.org" is invalid for ".*.pages.example.org"

I would have issued a certificate for the double wildcard, however its common for public tls authorities to forbid double wildcard certificates or tls SANs

Example Project

$ http https://examplefoo.bar.gitlab.io/gitlab-pages-test/

http: error: ConnectionError: HTTPSConnectionPool(host='examplefoo.bar.gitlab.io', port=443): Max retries exceeded with url: /gitlab-pages-test/ (Caused by SSLError(CertificateError("hostname 'examplefoo.bar.gitlab.io' doesn't match either of '*.gitlab.io', 'gitlab.io'",),))

What is the current bug behavior?

dots are injected into dns subdomains, which is incompatible with tls

What is the expected correct behavior?

dots should be sanitized (possibly to a hyphen) in subdomain parts, making dotted namespaces compatible with gitlab pages in a current tls deployment

Output of checks

This bug happens on GitLab.com

Possible fixes

if I knew I would suggest a fix, the codebase is too vast for me to identify this at a glance

Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: gitlab-org/gitlab-foss#57068