You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Ingo Bauersachs (JIRA)" <ji...@apache.org> on 2012/10/25 22:27:12 UTC
[jira] [Created] (HTTPCLIENT-1255) Wildcard matching in hostname
verifier incorrect
Ingo Bauersachs created HTTPCLIENT-1255:
-------------------------------------------
Summary: Wildcard matching in hostname verifier incorrect
Key: HTTPCLIENT-1255
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1255
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpClient
Affects Versions: Snapshot
Reporter: Ingo Bauersachs
According to the findings of [1], the hostname verification in AbstractVerifier.java is not correct. The wildcard prefix extraction uses the dimension of the dotted parts array instead of the length of the first part itself.
String prefix = parts[0].substring(0, parts.length-2); // e.g. server
should be
String prefix = parts[0].substring(0, parts[0].length()-1); // e.g. server
(This is line 208 of http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java as of Revision 1402320)
[1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Resolved] (HTTPCLIENT-1255) Wildcard matching in hostname
verifier incorrect
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1255?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oleg Kalnichevski resolved HTTPCLIENT-1255.
-------------------------------------------
Resolution: Fixed
Fixed in both trunk and 4.2.x branch.
Oleg
> Wildcard matching in hostname verifier incorrect
> ------------------------------------------------
>
> Key: HTTPCLIENT-1255
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1255
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpConn
> Affects Versions: Snapshot
> Reporter: Ingo Bauersachs
> Labels: security
> Fix For: 4.2.3
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> According to the findings of [1], the hostname verification in AbstractVerifier.java is not correct. The wildcard prefix extraction uses the dimension of the dotted parts array instead of the length of the first part itself.
> String prefix = parts[0].substring(0, parts.length-2); // e.g. server
> should be
> String prefix = parts[0].substring(0, parts[0].length()-1); // e.g. server
> (This is line 208 of http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java as of Revision 1402320)
> [1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Updated] (HTTPCLIENT-1255) Wildcard matching in hostname
verifier incorrect
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1255?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oleg Kalnichevski updated HTTPCLIENT-1255:
------------------------------------------
Component/s: (was: HttpClient)
HttpConn
Fix Version/s: 4.2.3
> Wildcard matching in hostname verifier incorrect
> ------------------------------------------------
>
> Key: HTTPCLIENT-1255
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1255
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpConn
> Affects Versions: Snapshot
> Reporter: Ingo Bauersachs
> Labels: security
> Fix For: 4.2.3
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> According to the findings of [1], the hostname verification in AbstractVerifier.java is not correct. The wildcard prefix extraction uses the dimension of the dotted parts array instead of the length of the first part itself.
> String prefix = parts[0].substring(0, parts.length-2); // e.g. server
> should be
> String prefix = parts[0].substring(0, parts[0].length()-1); // e.g. server
> (This is line 208 of http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java as of Revision 1402320)
> [1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org