Double-check that acctID and acct.ID are the same

letsencrypt · Jan 30, 2025 · 0e33bfc · 0e33bfc
1 parent f2f8070
commit 0e33bfc
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/wfe2/wfe.go b/wfe2/wfe.go
@@ -2501,6 +2501,11 @@ func (wfe *WebFrontEndImpl) FinalizeOrder(ctx context.Context, logEvent *web.Req
 		return
 	}
 
+	if acct.ID != acctID {
+		wfe.sendError(response, logEvent, probs.Malformed("Mismatched account ID"), nil)
+		return
+	}
+
 	order, err := wfe.sa.GetOrder(ctx, &sapb.OrderRequest{Id: orderID})
 	if err != nil {
 		if errors.Is(err, berrors.NotFound) {