RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-26 06:47:34 +00:00
Code Issues Activity Actions

LibTLS: Correct matching hostname with certificate subject

Browse source 
The wildcard specified in a certificates subject can only match a single
level of subdomains. Originally, this function could match multiple
levels of subdomains with a single "*.".

As an example, https://wrong.host.badssl.com/ should fail to load, as
the certificate provided by the server only specifies "*.badssl.com".
However this was correctly matching anyway. With this change this page
now correctly fails to load.
This commit is contained in:
Michiel Visser 2022-02-22 16:04:07 +01:00 committed by Ali Mohammad Pur
parent 331092d25a
commit 976bb715e0
1 changed files with 8 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

11
Userland/Libraries/LibTLS/TLSv12.cpp
View file

@ -193,11 +193,16 @@ void TLSv12::set_root_certificates(Vector<Certificate> certificates)
static bool wildcard_matches(StringView host, StringView subject)
{
if (host.matches(subject))
if (host == subject)
return true;
if (subject.starts_with("*."))
return wildcard_matches(host, subject.substring_view(2));
if (subject.starts_with("*.")) {
auto maybe_first_dot_index = host.find('.');
if (maybe_first_dot_index.has_value()) {
auto first_dot_index = maybe_first_dot_index.release_value();
return wildcard_matches(host.substring_view(first_dot_index + 1), subject.substring_view(2));
}
}
return false;
}