Репозитории ALT
| S: | 3.93.0-alt1 |
| 5.1: | 3.12.9.0-alt1.M50P.1 |
| 4.1: | 3.12.1-alt0.20080628.M41.2 |
| 4.0: | 3.11.4-alt1 |
Группа :: Система/Библиотеки
Пакет: nss
навигация по пакетам
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
Патч: nss-3.12.1-CVE-2009-2404.patch
Скачать
Скачать
Index: mozilla/security/nss/lib/certdb/certdb.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/certdb/certdb.c,v
retrieving revision 1.96
diff -p -u -r1.96 certdb.c
--- mozilla/security/nss/lib/certdb/certdb.c 9 Feb 2009 07:51:30 -0000 1.96
+++ mozilla/security/nss/lib/certdb/certdb.c 11 Mar 2009 20:02:23 -0000
@@ -1446,32 +1446,61 @@ CERT_AddOKDomainName(CERTCertificate *ce
** returns SECFailure with SSL_ERROR_BAD_CERT_DOMAIN if no match,
** returns SECFailure with some other error code if another error occurs.
**
-** may modify cn, so caller must pass a modifiable copy.
+** This function may modify *cn, so caller must pass a modifiable copy.
*/
static SECStatus
cert_TestHostName(char * cn, const char * hn)
{- int regvalid = PORT_RegExpValid(cn);
- if (regvalid != NON_SXP) {- SECStatus rv;
- /* cn is a regular expression, try to match the shexp */
- int match = PORT_RegExpCaseSearch(hn, cn);
+ static int useShellExp = -1;
- if ( match == 0 ) {- rv = SECSuccess;
- } else {- PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
- rv = SECFailure;
- }
- return rv;
- }
- /* cn is not a regular expression */
+ if (useShellExp < 0) {+ useShellExp = (NULL != PR_GetEnv("NSS_USE_SHEXP_WILDCARDS"));+ }
+ if (useShellExp) {+ /* Backward compatible code, uses full Regular Expressions. */
+ int regvalid = PORT_RegExpValid(cn);
+ if (regvalid != NON_SXP) {+ SECStatus rv;
+ /* cn is a regular expression, try to match the shexp */
+ int match = PORT_RegExpCaseSearch(hn, cn);
- /* compare entire hn with cert name */
+ if ( match == 0 ) {+ rv = SECSuccess;
+ } else {+ PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
+ rv = SECFailure;
+ }
+ return rv;
+ }
+ } else {+ /* New approach conforms to RFC 2818. */
+ char *wildcard = PORT_Strchr(cn, '*');
+ char *firstcndot = PORT_Strchr(cn, '.');
+ char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL;
+ char *firsthndot = PORT_Strchr(hn, '.');
+
+ /* For a cn pattern to be considered valid, the wildcard character...
+ * - may occur only in a DNS name with at least 3 components, and
+ * - may occur only as last character in the first component, and
+ * - may be preceded by additional characters
+ */
+ if (wildcard && secondcndot && secondcndot[1] && firsthndot
+ && firstcndot - wildcard == 1
+ && secondcndot - firstcndot > 1
+ && PORT_Strrchr(cn, '*') == wildcard
+ && !PORT_Strncasecmp(cn, hn, wildcard - cn)
+ && !PORT_Strcasecmp(firstcndot, firsthndot)) {+ /* valid wildcard pattern match */
+ return SECSuccess;
+ }
+ }
+ /* CN has no wildcard or shell expression.
+ * Compare entire hn with cert name.
+ */
if (PORT_Strcasecmp(hn, cn) == 0) {return SECSuccess;
}
-
+
PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
return SECFailure;
}