You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Oleg Kalnichevski (JIRA)" <ji...@apache.org> on 2012/10/26 16:23:13 UTC
[jira] [Updated] (HTTPCLIENT-1255) Wildcard matching in hostname
verifier incorrect
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1255?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oleg Kalnichevski updated HTTPCLIENT-1255:
------------------------------------------
Component/s: (was: HttpClient)
HttpConn
Fix Version/s: 4.2.3
> Wildcard matching in hostname verifier incorrect
> ------------------------------------------------
>
> Key: HTTPCLIENT-1255
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1255
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpConn
> Affects Versions: Snapshot
> Reporter: Ingo Bauersachs
> Labels: security
> Fix For: 4.2.3
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> According to the findings of [1], the hostname verification in AbstractVerifier.java is not correct. The wildcard prefix extraction uses the dimension of the dotted parts array instead of the length of the first part itself.
> String prefix = parts[0].substring(0, parts.length-2); // e.g. server
> should be
> String prefix = parts[0].substring(0, parts[0].length()-1); // e.g. server
> (This is line 208 of http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java as of Revision 1402320)
> [1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org