You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@nutch.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2020/12/17 17:05:00 UTC

[jira] [Commented] (NUTCH-2786) TrustManager methods do not have certificate validation logic

    [ https://issues.apache.org/jira/browse/NUTCH-2786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17251207#comment-17251207 ] 

ASF GitHub Bot commented on NUTCH-2786:
---------------------------------------

lewismc commented on pull request #524:
URL: https://github.com/apache/nutch/pull/524#issuecomment-747570772


   @AthenaXiao thanks for the patch. I think it would be more appropriate to provide Javadoc. Can you consider this and resubmit your patch?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> TrustManager methods do not have certificate validation logic
> -------------------------------------------------------------
>
>                 Key: NUTCH-2786
>                 URL: https://issues.apache.org/jira/browse/NUTCH-2786
>             Project: Nutch
>          Issue Type: Improvement
>          Components: plugin, protocol
>    Affects Versions: 1.16
>            Reporter: Md Mahir Asef Kabir
>            Priority: Major
>             Fix For: 1.18
>
>
> * *Vulnerability Description:* In “src/plugin/protocol-httpclient/src/java/org/apache/nutch/protocol/httpclient/DummyX509TrustManager.java” overridden TrustManager methods (i.e. checkClientTrusted and checkServerTrusted) do not have validation logic for certificates.
>  * *Reason it’s vulnerable:* It is vulnerable because DummyX509TrustManager implements X509TrustManager and it overrides the standard TrustManager methods (i.e. checkClientTrusted and checkServerTrusted) to do nothing but returning hard-coded *true*. Certificate validation is expected to be handled by these methods. Doing nothing means no verification.
>  * *Suggested Fix:* Adding necessary certificate verification logic in the overridden methods. This is an example code showing a format that can be used and modified appropriately to implement the certificate validation logic - https://paste.ubuntu.com/p/jWtH2yTNR8/ .
>  * *Feedback:* Please select any of the options down below to help us get an idea about how you felt about the suggestion -
>  # Liked it and will make the suggested changes
>  # Liked it but happy with the existing version
>  # Didn’t find the suggestion helpful



--
This message was sent by Atlassian Jira
(v8.3.4#803005)