On Thu, 2014-08-21 at 18:36 +0200, Dirk-Willem van Gulik wrote: > Op 21 aug. 2014, om 17:50 heeft Dirk-Willem van Gulik <[email protected]> > het volgende geschreven: > > > > > Op 21 aug. 2014, om 15:26 heeft Oleg Kalnichevski <[email protected]> het > > volgende geschreven: > > > >> I have pretty much completely rewritten every bit of code related to > >> hostname verification in SVN trunk. > >> > >> https://github.com/apache/httpclient/tree/268d6cc113b305addc4a31a70bd7c3b6d545e337/httpclient/src/main/java/org/apache/http/conn/ssl > >> > >> I would truly appreciate someone doing a peer review of the changes > >> and / or giving me feedback with regards to further improvements. > > > > - regex for the pattern > > > > From my read - it seems that you build with input under the user control if > > I am not mistaken - yet it could be more than mere characters. > > > > So I am a bit worried about revil regexes slipping in (e.g. ReDoS); and > > then causing some sort of exhaustion*. > > > > Found that some of below are indeed able to hang the regex stack (e.g. # 2). > However the more elaborate regex-es are blocked by: > > private final static Pattern WILDCARD_PATTERN = Pattern.compile( > "^[a-z0-9\\-\\*]+(\\.[a-z0-9\\-]+){2,}$", Pattern.CASE_INSENSITIVE); > .. > WILDCARD_PATTERN.matcher(identity).matches() > > which we apply to the subjectAltName, CN, etc. So that is not too bad then - > assuming that that regep does not let them through. Which is likely - as the > only dangerous thing I see in there is a *. >
Hi Dirk-Willem Thank you so much for your feedback. What I could do is validate both the identity and the subjectAltName pattern by making sure they consist of characters legal for domain names (alphanumeric, dash and asterisk in case of subjectAltName) prior to doing regexp matching with them. > Obviously - as we get into UTF8 internationalized domain names - we may > accidentally break that protection at some point. > Would not internationalized domain names be Punycode encoded instead? Oleg --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
