From 3666b919815a9729b68a3a6821c21711b4ddabfb Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Tue, 9 Dec 2025 08:32:07 +0100
Subject: [PATCH] [crypto,certificate] sanitize hostnames

When creating a local certificate file ensure the hostname does not
contain invalid characters.
---
 libfreerdp/crypto/certificate_data.c | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/libfreerdp/crypto/certificate_data.c b/libfreerdp/crypto/certificate_data.c
index 8b8b9af7e..efacdeae6 100644
--- a/libfreerdp/crypto/certificate_data.c
+++ b/libfreerdp/crypto/certificate_data.c
@@ -58,11 +58,34 @@ static char* ensure_lowercase(char* str, size_t length)
 		str[x] = (char)tolower(str[x]);
 	return str;
 }
+
+static char* ensure_valid_charset(char* str, size_t length)
+{
+	const size_t len = strnlen(str, length);
+	for (size_t x = 0; x < len; x++)
+	{
+		char cur = str[x];
+		switch (cur)
+		{
+			case ':':
+				str[x] = '.';
+				break;
+			case '/':
+			case '\\':
+				str[x] = '_';
+				break;
+			default:
+				break;
+		}
+	}
+	return str;
+}
+
 static const char* freerdp_certificate_data_hash_(const char* hostname, UINT16 port, char* name,
                                                   size_t length)
 {
 	(void)_snprintf(name, length, "%s_%" PRIu16 ".pem", hostname, port);
-	return ensure_lowercase(name, length);
+	return ensure_lowercase(ensure_valid_charset(name, length), length);
 }
 
 static BOOL freerdp_certificate_data_load_cache(rdpCertificateData* data)