vt-ldap: bug in default certificate hostname verifier

haresh14 / vt-middleware

Automatically exported from code.google.com/p/vt-middleware

0 stars 0 forks source link

vt-ldap: bug in default certificate hostname verifier #226

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

The DefaultHostnameVerifier parses the subject DN by tokenizing on the comma.
This could allow specially crafted certificate DNs to inject a common name.

For instance:
/CN=a.foo.com/O=CN=b.embed.com, foo/

Would parse as multiple CNs even though the second CN is embed in the O 
attribute.

The DefaultHostnameVerifier is used for LDAPS connection when a custom socket 
factory is not provided.

Original issue reported on code.google.com by dfis...@gmail.com on 3 Sep 2014 at 5:52

GoogleCodeExporter commented 9 years ago

Fixed in r3046.

Original comment by dfis...@gmail.com on 3 Sep 2014 at 6:07

Changed state: Fixed