mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2024-11-21 01:16:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

Curl_cert_hostcheck: reject IP address wildcard matches

Browse Source 
There are server certificates used with IP address in the CN field, but
we MUST not allow wild cart certs for hostnames given as IP addresses
only. Therefore we must make Curl_cert_hostcheck() fail such attempts.

Bug: http://curl.haxx.se/docs/adv_20140326B.html
Reported-by: Richard Moore
This commit is contained in:
Daniel Stenberg 2014-03-03 11:46:36 +01:00
parent 517b06d657
commit 5019c78095
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
lib/hostcheck.c
View File

@ -28,6 +28,7 @@
#include "hostcheck.h"
#include "rawstr.h"
#include "inet_pton.h"
/*
* Match a hostname against a wildcard pattern.
@ -43,11 +44,23 @@ static int hostmatch(const char *hostname, const char *pattern)
const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
int wildcard_enabled;
size_t prefixlen, suffixlen;
struct in_addr ignored;
#ifdef ENABLE_IPV6
struct sockaddr_in6 si6;
#endif
pattern_wildcard = strchr(pattern, '*');
if(pattern_wildcard == NULL)
return Curl_raw_equal(pattern, hostname) ?
CURL_HOST_MATCH : CURL_HOST_NOMATCH;
/* detect IP address as hostname and fail the match if so */
if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0)
return CURL_HOST_NOMATCH;
#ifdef ENABLE_IPV6
else if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0)
return CURL_HOST_NOMATCH;
#endif
/* We require at least 2 dots in pattern to avoid too wide wildcard
match. */
wildcard_enabled = 1;