Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
Description
According to the findings of [1], the hostname verification in AbstractVerifier.java is not correct. The wildcard prefix extraction uses the dimension of the dotted parts array instead of the length of the first part itself.
String prefix = parts[0].substring(0, parts.length-2); // e.g. server
should be
String prefix = parts[0].substring(0, parts[0].length()-1); // e.g. server
(This is line 208 of http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java as of Revision 1402320)