`has_known_suffix` always return true
Diggsey opened this issue · comments
This is a security vulnerability, as programs may rely on this to screen out local domains, eg. "example.svc.local".
I understand that the algorithm described on https://publicsuffix.org/list/ specifies that:
If no rules match, the prevailing rule is "*".
However, this is for a specific use-case: when determining what part of the domain is the public suffix. Using this rule when determining whether the suffix is "known" is a huge security hole, as it essentially treats all domains as "known".
Specifically the "type" should be None
, if the wildcard rule is used as a fallback.
#31 contains a possible minimal fix for this behaviour.
Fixed by #31