[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-commits
Subject: KDE/kdelibs/kio/kio
From: Richard J. Moore <rich () kde ! org>
Date: 2010-09-10 15:38:50
Message-ID: 20100910153850.67DB0AC884 () svn ! kde ! org
[Download RAW message or body]
SVN commit 1173851 by rich:
- Fix wildcard ssl handling. We now correctly handle wildcards, rather
than using shell globs. This removes the same issue as QTBUG-4455.
In addition, I've fixed http://www.westpoint.ltd.uk/advisories/wp-10-0001.txt
for konqueror.
M +41 -3 tcpslavebase.cpp
M +3 -0 tcpslavebase.h
--- trunk/KDE/kdelibs/kio/kio/tcpslavebase.cpp #1173850:1173851
@@ -4,6 +4,7 @@
* Copyright (C) 2001 Dawit Alemayehu <adawit@kde.org>
* Copyright (C) 2007,2008 Andreas Hartmetz <ahartmetz@gmail.com>
* Copyright (C) 2008 Roland Harnau <tau@gmx.eu>
+ * Copyright (C) 2010 Richard Moore <rich@kde.org>
*
* This file is part of the KDE project
*
@@ -452,7 +453,46 @@
return startTLSInternal(KTcpSocket::TlsV1) & ResultOk;
}
+bool TCPSlaveBase::isMatchingHostname(const QString &cn, const QString &hostname)
+{
+ int wildcard = cn.indexOf(QLatin1Char('*'));
+ // Check this is a wildcard cert, if not then just compare the strings
+ if (wildcard < 0)
+ return cn == hostname;
+
+ const int firstCnDot = cn.indexOf(QLatin1Char('.'));
+ const int secondCnDot = cn.indexOf(QLatin1Char('.'), firstCnDot+1);
+
+ // Check at least 3 components
+ if ((-1 == secondCnDot) || (secondCnDot+1 >= cn.length()))
+ return false;
+
+ // Check * is last character of 1st component (ie. there's a following .)
+ if (wildcard+1 != firstCnDot)
+ return false;
+
+ // Check only one star
+ if (cn.lastIndexOf(QLatin1Char('*')) != wildcard)
+ return false;
+
+ // Check characters preceding * (if any) match
+ if (wildcard && (hostname.leftRef(wildcard) != cn.leftRef(wildcard)))
+ return false;
+
+ // Check characters following first . match
+ if (hostname.midRef(hostname.indexOf(QLatin1Char('.'))) != cn.midRef(firstCnDot))
+ return false;
+
+ // Check if the hostname is an IP address, if so then wildcards are not allowed
+ QHostAddress addr(hostname);
+ if (!addr.isNull())
+ return false;
+
+ // Ok, I guess this was a wildcard CN and the hostname matches.
+ return true;
+}
+
TCPSlaveBase::SslResult TCPSlaveBase::startTLSInternal(uint v_)
{
KTcpSocket::SslVersion sslVersion = static_cast<KTcpSocket::SslVersion>(v_);
@@ -507,7 +547,6 @@
QSslCertificate peerCert = d->socket.peerCertificateChain().first();
QStringList domainPatterns(peerCert.subjectInfo(QSslCertificate::CommonName));
domainPatterns += peerCert.alternateSubjectNames().values(QSsl::DnsEntry);
- QRegExp domainMatcher(QString(), Qt::CaseInsensitive, QRegExp::Wildcard);
QMutableListIterator<KSslError> it(d->sslErrors);
while (it.hasNext()) {
// As of 4.4.0 Qt does not assign a certificate to the QSslError it emits
@@ -518,8 +557,7 @@
continue;
}
Q_FOREACH (const QString &dp, domainPatterns) {
- domainMatcher.setPattern(dp);
- if (domainMatcher.exactMatch(d->host)) {
+ if (isMatchingHostname(dp.lower(), d->host.lower())) {
it.remove();
}
}
--- trunk/KDE/kdelibs/kio/kio/tcpslavebase.h #1173850:1173851
@@ -198,6 +198,9 @@
// For the certificate verification code
SslResult verifyServerCertificate();
+ // For verifying ssl hostnames (including wildcards)
+ bool isMatchingHostname(const QString &cn, const QString &hostname);
+
// For prompting for the client certificate to use
void selectClientCertificate();
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic