use url.JoinPath to correctly escape and join x5u and chainName

mozilla-services · Sep 4, 2024 · b91d6ce · b91d6ce
1 parent 0fdb335
commit b91d6ce
Showing 1 changed file with 8 additions and 6 deletions.
diff --git a/signer/contentsignaturepki/x509.go b/signer/contentsignaturepki/x509.go
@@ -7,7 +7,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"math/big"
-	"path"
+	"net/url"
 	"time"
 
 	"github.com/mozilla-services/autograph/database"
@@ -42,23 +42,25 @@ func (s *ContentSigner) findAndSetEE(conf signer.Configuration) (err error) {
 
 // makeAndUploadChain makes a certificate using the end-entity public key,
 // uploads the chain to its destination and creates an X5U download URL
-func (s *ContentSigner) makeAndUploadChain() (err error) {
-	var fullChain, chainName string
-	fullChain, chainName, err = s.makeChain()
+func (s *ContentSigner) makeAndUploadChain() error {
+	fullChain, chainName, err := s.makeChain()
 	if err != nil {
 		return fmt.Errorf("failed to make chain: %w", err)
 	}
 	err = s.upload(fullChain, chainName)
 	if err != nil {
 		return fmt.Errorf("failed to upload chain: %w", err)
 	}
-	newX5U := path.Join(s.X5U, chainName)
+	newX5U, err := url.JoinPath(s.X5U, chainName)
+	if err != nil {
+		return fmt.Errorf("failed to join x5u with chain name: %w", err)
+	}
 	_, _, err = GetX5U(buildHTTPClient(), newX5U)
 	if err != nil {
 		return fmt.Errorf("failed to download new chain: %w", err)
 	}
 	s.X5U = newX5U
-	return
+	return nil
 }
 
 // makeChain issues an end-entity certificate using the ca private key and the first