Op 21 aug. 2014, om 15:26 heeft Oleg Kalnichevski <[email protected]> het volgende geschreven:
> I have pretty much completely rewritten every bit of code related to > hostname verification in SVN trunk. > > https://github.com/apache/httpclient/tree/268d6cc113b305addc4a31a70bd7c3b6d545e337/httpclient/src/main/java/org/apache/http/conn/ssl > > I would truly appreciate someone doing a peer review of the changes > and / or giving me feedback with regards to further improvements. Looks good. Couple of thoughts - BAD_COUNTRY_2LDS, BAD_COUNTRY_WILDCARD_PATTERN My guess is that longer term you will get too many specials - and the end game is parsing something like https://publicsuffix.org/ and specifically https://publicsuffix.org/list/effective_tld_names.dat to get the depth right. - regex for the pattern From my read - it seems that you build with input under the user control if I am not mistaken - yet it could be more than mere characters. So I am a bit worried about revil regexes slipping in (e.g. ReDoS); and then causing some sort of exhaustion*. - countDots function Prolly no longer used. Dw. Having said that - I tried a few obvious ones - and have not gotten a decent example yet. /** * Evil Regex example(s) / openssl req -new -x509 -nodes -keyout /dev/null -subj "/CN=^(([a-z])+.)+[A-Z]([a-z])+$" */ public final static byte[] X509_EVIL_REGEX_1= ( "-----BEGIN CERTIFICATE-----\n" + "MIICGjCCAYOgAwIBAgIJAOo56cPW09+fMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV\n" + "BAMMG14oKFthLXpdKSsuKStbQS1aXShbYS16XSkrJDAeFw0xNDA4MjExMzAzMTVa\n" + "Fw0xNDA5MjAxMzAzMTVaMCYxJDAiBgNVBAMMG14oKFthLXpdKSsuKStbQS1aXShb\n" + "YS16XSkrJDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3Qo9S/QuEAmVnV9O\n" + "g7TsdUfjhV+szbCiia3S1Wyywmn70x7UOuxN05kEuYiQOljHk+lcLbZqFjkDoCde\n" + "3sTrYzocsDV1F44aoIDNf6FoTF4zvO5DrH5PQ7AXS0ot9QLwHbBbNnc8BUDUxcro\n" + "v4lpDbo7OHdneLPC3iMy6H+TTHUCAwEAAaNQME4wHQYDVR0OBBYEFER/UmoLTblm\n" + "HC4lnANRHTJJ81aBMB8GA1UdIwQYMBaAFER/UmoLTblmHC4lnANRHTJJ81aBMAwG\n" + "A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAQdpC4WQ15IN6lzaA0S3QjSRG\n" + "Sk9Ds4iepfM2xWDFI78oTtYvnffv0Ow+Yzs2QoDHVyRZO7IS9gBWAmGvVvZbTXJD\n" + "tNofNu074GddS9P1GSj+cd4XsX5pDW8QlYPupg3/5XV3l2i99Eo/EodP3U3WnZd7\n" + "pTUwN+iCW4sz516Tp40=\n" + "-----END CERTIFICATE-----").getBytes(); public final static byte[] X509_EVIL_REGEX_2 = ( "-----BEGIN CERTIFICATE-----\n" + "MIIB9jCCAV+gAwIBAgIJAKFcCPW2esygMA0GCSqGSIb3DQEBBQUAMBQxEjAQBgNV\n" + "BAMMCSguKmEpezMwfTAeFw0xNDA4MjExMzIxMDBaFw0xNDA5MjAxMzIxMDBaMBQx\n" + "EjAQBgNVBAMMCSguKmEpezMwfTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA\n" + "l4ajddWLAnNAbMkrInDgn5MH5bleFUm1Aq+HDxuBEmy1vabxoyV5GDexL9NquAsL\n" + "AxOLihWFMjG6NpPCB4rQa98vBSEaj2N+Yp4DTfS01INkOxxOQX+zNfh54GDeJfQS\n" + "0/+BdzZsGVhE6/ekPLh4He3MO9vC6hXaD79beIRdTN8CAwEAAaNQME4wHQYDVR0O\n" + "BBYEFODDhk2qLs0qraeXtwHBRE3C1VWPMB8GA1UdIwQYMBaAFODDhk2qLs0qraeX\n" + "twHBRE3C1VWPMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAQHwEiaOy\n" + "NMs8XbZfbovlXUDtIm20PiQ82TZHYb0kGd+UhcBfGMewi1wO2/ETYToVFbKaELTm\n" + "cQcad5TQM6KnACi1uZSJLLMO9eFT4sF9ZErcVPNPvszcE0K5PBWu7m4el7ZG4tOe\n" + "eMam4OzNiZpNy+9aXe4Zh4ZvxS/ReD7+PHM=\n" + "-----END CERTIFICATE-----").getBytes(); public final static byte[] X509_EVIL_REGEX_3 = ( "-----BEGIN CERTIFICATE-----\n" + "MIIB+DCCAWGgAwIBAgIJAJyEzt1ofEhdMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV\n" + "BAMMCihhYXxhYWI/KSswHhcNMTQwODIxMTQ1MzIwWhcNMTQwOTIwMTQ1MzIwWjAV\n" + "MRMwEQYDVQQDDAooYWF8YWFiPykrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n" + "gQC9XeUm4juhMbeqyMdUgU9Oiudec89Yp+68jfg1397w8yoSrxssUucicnpBS7Kf\n" + "M0JDy3E3CWSa/mphey9zS+rxxHE+p4u7h3uCZanTe4RcrkRy8jF4VdroDqugm+1T\n" + "PIV24mNFCsHQU7w4EiWLgvnxkCrBfFmpHEwOYp2GH7/E5QIDAQABo1AwTjAdBgNV\n" + "HQ4EFgQUdbxxDEpEMjiY0viM0EfNWWtZPIgwHwYDVR0jBBgwFoAUdbxxDEpEMjiY\n" + "0viM0EfNWWtZPIgwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCuBjrr\n" + "Xdn9KxN5WMwLZ/K6zj403s7eia8Pl2SNofPj7V5t5vXbhCceM1g2NTy1XgB/remx\n" + "6o3V4Lw94uj3WFdp8UT3sL+PNUuUgg98zUgCcED9EMMU0mKdcHzrwjzZBTjQOF/I\n" + "ggNk2gVdv6awgBUel0hcWY9/F9a3pNWYMmFn5A==\n" + "-----END CERTIFICATE-----").getBytes(); public final static byte[] X509_EVIL_REGEX_4 = ( "-----BEGIN CERTIFICATE-----\n" + "MIIB8jCCAVugAwIBAgIJAPU+FLeLYdGUMA0GCSqGSIb3DQEBBQUAMBIxEDAOBgNV\n" + "BAMMB14oYSspKyQwHhcNMTQwODIxMTQ1NzExWhcNMTQwOTIwMTQ1NzExWjASMRAw\n" + "DgYDVQQDDAdeKGErKSskMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYIkgN\n" + "N4Y8ZCIjztOzuzqth7gObsuSR7BjWp4FTg9T6J2hfyBrxu1WZY/J/4b01VdJMNE5\n" + "yMQI9A49i229DSSXKssv9VsLNgRN5X2el4HQg9ibialgB6KUwmL+c2vv4hJ92mrc\n" + "lnr54CVsXmxgABYhShkWZqIuTyAUE2r1FVqQtQIDAQABo1AwTjAdBgNVHQ4EFgQU\n" + "36WZSogs45HIg7G8MWKfU+NsSBQwHwYDVR0jBBgwFoAU36WZSogs45HIg7G8MWKf\n" + "U+NsSBQwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBvzGB/5B4tF7dz\n" + "ME1AhudTbmHyuPAGhGg3DUpPBNNZHHgYS1zGpXgcDlOaXYuvFrb81sCVGNAhCijq\n" + "wMiQEwW2GWWKi7qNnj/W35OyVsXTchfRXuL75ZcVzABa8hdldijwhvFHev75X+HW\n" + "Nr5sa4rDYtwqkERMJCtSpE9lETID2A==\n" + "-----END CERTIFICATE-----").getBytes(); public final static byte[] X509_EVIL_REGEX_5 = ( "-----BEGIN CERTIFICATE-----\n" + "MIIB9DCCAV2gAwIBAgIJAJkLISjl9geAMA0GCSqGSIb3DQEBBQUAMBMxETAPBgNV\n" + "BAMMCCgqYSl7MzB9MB4XDTE0MDgyMTE1MDM1MFoXDTE0MDkyMDE1MDM1MFowEzER\n" + "MA8GA1UEAwwIKCphKXszMH0wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOLH\n" + "GTkGbs0+/7AQoVYG/nHgSLmr9pnd5oAcOVp/ncN7csMrQab4ftfZNFrEsAseRNl5\n" + "5b1CD0hkz3+sfXdocNUZl7bmkpIqhyHqo2QULbR9j7fTH8IIDbsipMj45FS6gm3P\n" + "ryL6n99z2jxpkUu6MgR9FNO9uUer57idANstbJwjAgMBAAGjUDBOMB0GA1UdDgQW\n" + "BBTmSxwccA9GPyAF7qhlUF9XTghFzDAfBgNVHSMEGDAWgBTmSxwccA9GPyAF7qhl\n" + "UF9XTghFzDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAEwPdipEPBGp\n" + "3ajUKj6Fq4AdI8lOZIFrghjSNDqRe2ANybjwETt/seYOAdIFxlhW2ALDp8mNJAKP\n" + "5s5aFjeNlUvQKmtLm2ZDIQ0GlrjXZ3R1et1Qwd9XPBGsHK8pmmJZB9pbqdWzVF+w\n" + "5cgEPhsWHxM16wVtFUIMskyhtlO+Ai/6\n" + "-----END CERTIFICATE-----").getBytes(); public final static byte[] X509_EVIL_REGEX_6 = ( "-----BEGIN CERTIFICATE-----\n" + "MIICVjCCAgCgAwIBAgIJAMskaCGIhO70MA0GCSqGSIb3DQEBBQUAMBIxEDAOBgNV\n" + "BAMMB2lnbm9yZWQwHhcNMTQwODIxMTUzNjA1WhcNMTQwOTIwMTUzNjA1WjASMRAw\n" + "DgYDVQQDDAdpZ25vcmVkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANQg+BI6DYd0\n" + "RviglOAXhp58CKloK1pzenOugAJ8afCTszQVUzWN+cq5ZS0lxdLQ0WOS2jCDlJfW\n" + "j2XQOBLsuQUCAwEAAaOCATcwggEzMAsGA1UdDwQEAwIF4DAJBgNVHRMEAjAAMIIB\n" + "FwYDVR0RBIIBDjCCAQqgEAYDKgMEoAkMB14oYSspKySgEgYDKgMEoAsMCSguKmEp\n" + "ezMwfaARBgMqAwSgCgwIKCphKXszMH2gEwYDKgMEoAwMCihhYXxhYWI/KSuCFDEu\n" + "Mi4zLjQ7VVRGODpeKGErKSskghYxLjIuMy40O1VURjg6KC4qYSl7MzB9ghUxLjIu\n" + "My40O1VURjg6KCphKXszMH2CFzEuMi4zLjQ7VVRGODooYWF8YWFiPykrgRQxLjIu\n" + "My40O1VURjg6XihhKykrJIEWMS4yLjMuNDtVVEY4OiguKmEpezMwfYEVMS4yLjMu\n" + "NDtVVEY4OigqYSl7MzB9gRcxLjIuMy40O1VURjg6KGFhfGFhYj8pKzANBgkqhkiG\n" + "9w0BAQUFAANBAA+NxqNkEqYRWL0Z5940zk4ddZxgD4HnQiOcsEWm0Akys370T7iQ\n" + "KNiBrfnX7Uf8VF7ZkxmxXH39Xo6hIqHfTXo=\n" + "-----END CERTIFICATE-----").getBytes(); --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
