rob05c opened a new issue #5658: URL: https://github.com/apache/trafficcontrol/issues/5658
## I'm submitting a ... - improvement request (usability, performance, tech debt, etc.) ## Traffic Control components affected ... - Traffic Ops ## Current behavior: Traffic Ops validates that Delivery Service names (xmlId) don't contain spaces or periods: https://github.com/apache/trafficcontrol/blob/6959ec/traffic_ops/traffic_ops_golang/deliveryservice/deliveryservices.go#L1328 But it doesn't verify it's a valid FQDN component. Traffic Portal does, but Traffic Ops doesn't. There is specifically an interest in prohibiting underscores, which we use in Header Rewrite files, e.g. `hdr_rw_mid_foo.config`. As-is, if an untrusted person were allowed to make Delivery Services, they could create a Delivery Service named "mid_foo" in order to attack and manipulate a different Delivery Service. This isn't a huge issue today, without Self Service, but it will be if and when we ever get there. Adding the validation now prevents the future security issue. ## New behavior: Traffic Ops is changed to validate Delivery Service names to only contain alphanumeric and hyphen characters. ## Minimal reproduction of the problem with instructions: POST a new Delivery Service to Traffic Ops with underscores in the xmlID ## Anything else: -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
