suesianne / vt-middleware

Automatically exported from code.google.com/p/vt-middleware
0 stars 0 forks source link

vt-ldap: bug in default certificate hostname verifier #226

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
The DefaultHostnameVerifier parses the subject DN by tokenizing on the comma.
This could allow specially crafted certificate DNs to inject a common name.

For instance:
/CN=a.foo.com/O=CN=b.embed.com, foo/

Would parse as multiple CNs even though the second CN is embed in the O 
attribute.

The DefaultHostnameVerifier is used for LDAPS connection when a custom socket 
factory is not provided.

Original issue reported on code.google.com by dfis...@gmail.com on 3 Sep 2014 at 5:52

GoogleCodeExporter commented 8 years ago
Fixed in r3046.

Original comment by dfis...@gmail.com on 3 Sep 2014 at 6:07