search

diefferson / http_certificate_pinning

Https Certificate pinning for Flutter
Apache License 2.0
83 stars 70 forks source link

Dio interceptor verifies wrong host #43

Closed sebkoller closed 10 months ago

sebkoller commented 1 year ago

The Dio interceptor only verifies the host from options.baseUrl, If a request is made to a different host, the interceptor will either verify the host from the baseUrl or return a cached success.

Here is an example that will return a success on two requests, even though the fingerprint does not match on the second request.

final dio = Dio(BaseOptions(baseUrl: "https://example.com"));
dio.interceptors.add(
    CertificatePinningInterceptor(allowedSHAFingerprints: ["..."]));

dio.get("https://example.com");
dio.get("https://pub.dev");
diefferson commented 10 months ago

Thanks for this observation, this was fixes on release 2.1.1