You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hc.apache.org by "Ingo Bauersachs (JIRA)" <ji...@apache.org> on 2012/10/25 22:27:12 UTC

[jira] [Created] (HTTPCLIENT-1255) Wildcard matching in hostname verifier incorrect

Ingo Bauersachs created HTTPCLIENT-1255:
-------------------------------------------

             Summary: Wildcard matching in hostname verifier incorrect
                 Key: HTTPCLIENT-1255
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1255
             Project: HttpComponents HttpClient
          Issue Type: Bug
          Components: HttpClient
    Affects Versions: Snapshot
            Reporter: Ingo Bauersachs


According to the findings of [1], the hostname verification in AbstractVerifier.java is not correct. The wildcard prefix extraction uses the dimension of the dotted parts array instead of the length of the first part itself.

String prefix = parts[0].substring(0, parts.length-2); // e.g. server
should be
String prefix = parts[0].substring(0, parts[0].length()-1); // e.g. server

(This is line 208 of http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java as of Revision 1402320)

[1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

[jira] [Resolved] (HTTPCLIENT-1255) Wildcard matching in hostname verifier incorrect

Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-1255?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Oleg Kalnichevski resolved HTTPCLIENT-1255.
-------------------------------------------

    Resolution: Fixed

Fixed in both trunk and 4.2.x branch.

Oleg
                
> Wildcard matching in hostname verifier incorrect
> ------------------------------------------------
>
>                 Key: HTTPCLIENT-1255
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1255
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpConn
>    Affects Versions: Snapshot
>            Reporter: Ingo Bauersachs
>              Labels: security
>             Fix For: 4.2.3
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> According to the findings of [1], the hostname verification in AbstractVerifier.java is not correct. The wildcard prefix extraction uses the dimension of the dotted parts array instead of the length of the first part itself.
> String prefix = parts[0].substring(0, parts.length-2); // e.g. server
> should be
> String prefix = parts[0].substring(0, parts[0].length()-1); // e.g. server
> (This is line 208 of http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java as of Revision 1402320)
> [1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

[jira] [Updated] (HTTPCLIENT-1255) Wildcard matching in hostname verifier incorrect

Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-1255?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Oleg Kalnichevski updated HTTPCLIENT-1255:
------------------------------------------

      Component/s:     (was: HttpClient)
                   HttpConn
    Fix Version/s: 4.2.3
    
> Wildcard matching in hostname verifier incorrect
> ------------------------------------------------
>
>                 Key: HTTPCLIENT-1255
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1255
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpConn
>    Affects Versions: Snapshot
>            Reporter: Ingo Bauersachs
>              Labels: security
>             Fix For: 4.2.3
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> According to the findings of [1], the hostname verification in AbstractVerifier.java is not correct. The wildcard prefix extraction uses the dimension of the dotted parts array instead of the length of the first part itself.
> String prefix = parts[0].substring(0, parts.length-2); // e.g. server
> should be
> String prefix = parts[0].substring(0, parts[0].length()-1); // e.g. server
> (This is line 208 of http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java as of Revision 1402320)
> [1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org