From 976bb715e0e9cab92f3d21fc5fa4aa152ef819c2 Mon Sep 17 00:00:00 2001
From: Michiel Visser <opensource@webmichiel.nl>
Date: Tue, 22 Feb 2022 16:04:07 +0100
Subject: [PATCH] LibTLS: Correct matching hostname with certificate subject

The wildcard specified in a certificates subject can only match a single
level of subdomains. Originally, this function could match multiple
levels of subdomains with a single "*.".

As an example, https://wrong.host.badssl.com/ should fail to load, as
the certificate provided by the server only specifies "*.badssl.com".
However this was correctly matching anyway. With this change this page
now correctly fails to load.
---
 Userland/Libraries/LibTLS/TLSv12.cpp | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/Userland/Libraries/LibTLS/TLSv12.cpp b/Userland/Libraries/LibTLS/TLSv12.cpp
index 1cff1fe03f..88af0f2635 100644
--- a/Userland/Libraries/LibTLS/TLSv12.cpp
+++ b/Userland/Libraries/LibTLS/TLSv12.cpp
@@ -193,11 +193,16 @@ void TLSv12::set_root_certificates(Vector<Certificate> certificates)
 
 static bool wildcard_matches(StringView host, StringView subject)
 {
-    if (host.matches(subject))
+    if (host == subject)
         return true;
 
-    if (subject.starts_with("*."))
-        return wildcard_matches(host, subject.substring_view(2));
+    if (subject.starts_with("*.")) {
+        auto maybe_first_dot_index = host.find('.');
+        if (maybe_first_dot_index.has_value()) {
+            auto first_dot_index = maybe_first_dot_index.release_value();
+            return wildcard_matches(host.substring_view(first_dot_index + 1), subject.substring_view(2));
+        }
+    }
 
     return false;
 }