Details

      Description

      According to the findings of [1], the hostname verification in AbstractVerifier.java is not correct. The wildcard prefix extraction uses the dimension of the dotted parts array instead of the length of the first part itself.

      String prefix = parts[0].substring(0, parts.length-2); // e.g. server
      should be
      String prefix = parts[0].substring(0, parts[0].length()-1); // e.g. server

      (This is line 208 of http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java as of Revision 1402320)

      [1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              ibauersachs Ingo Bauersachs
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 1h
                1h
                Remaining:
                Remaining Estimate - 1h
                1h
                Logged:
                Time Spent - Not Specified
                Not Specified