Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: Snapshot
    • Fix Version/s: 4.2.3
    • Component/s: HttpConn
    • Labels:

      Description

      According to the findings of [1], the hostname verification in AbstractVerifier.java is not correct. The wildcard prefix extraction uses the dimension of the dotted parts array instead of the length of the first part itself.

      String prefix = parts[0].substring(0, parts.length-2); // e.g. server
      should be
      String prefix = parts[0].substring(0, parts[0].length()-1); // e.g. server

      (This is line 208 of http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java as of Revision 1402320)

      [1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

        Activity

        Hide
        Oleg Kalnichevski added a comment -

        Fixed in both trunk and 4.2.x branch.

        Oleg

        Show
        Oleg Kalnichevski added a comment - Fixed in both trunk and 4.2.x branch. Oleg

          People

          • Assignee:
            Unassigned
            Reporter:
            Ingo Bauersachs
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 1h
              1h
              Remaining:
              Remaining Estimate - 1h
              1h
              Logged:
              Time Spent - Not Specified
              Not Specified

                Development