From 8f2be59a821d94fdbd2b50469450c94ffc8aef34 Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Fri, 17 Jan 2025 23:01:07 +0100
Subject: [PATCH] Error out on domain names with wildcards in captive portals

---
 dnscrypt-proxy/coldstart.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/dnscrypt-proxy/coldstart.go b/dnscrypt-proxy/coldstart.go
index 81bccb7b..0f0b73ac 100644
--- a/dnscrypt-proxy/coldstart.go
+++ b/dnscrypt-proxy/coldstart.go
@@ -170,6 +170,12 @@ func ColdStart(proxy *Proxy) (*CaptivePortalHandler, error) {
 		if err != nil {
 			continue
 		}
+		if strings.Index(ipsStr, "*") != -1 {
+			return nil, fmt.Errorf(
+				"A captive portal rule must use an exact host name at line %d",
+				1+lineNo,
+			)
+		}
 		var ips []net.IP
 		for _, ip := range strings.Split(ipsStr, ",") {
 			ipStr := strings.TrimSpace(ip)