haresh14 / vt-middleware

Automatically exported from code.google.com/p/vt-middleware
0 stars 0 forks source link

ldaptive: bug in default certificate hostname verifier #227

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
The DefaultHostnameVerifier parses the subject DN by tokenizing on the comma.
This could allow specially crafted certificate DNs to inject a common name.

For instance:
/CN=a.foo.com/O=CN=b.embed.com, foo/

Would parse as multiple CNs even though the second CN is embed in the O 
attribute.

The DefaultHostnameVerifier is used for LDAPS connection when a custom socket 
factory is not provided.

Original issue reported on code.google.com by dfis...@gmail.com on 3 Sep 2014 at 6:15

GoogleCodeExporter commented 9 years ago
Code no longer parses the DN as a string.
The DN is parsed from it's BER encoding.
Fixed in r3053.

Original comment by dfis...@gmail.com on 5 Sep 2014 at 6:09

GoogleCodeExporter commented 9 years ago

Original comment by dfis...@gmail.com on 9 Sep 2014 at 2:57