Md Mahir Asef Kabir created NUTCH-2786:
------------------------------------------
Summary: TrustManager methods do not have certificate validation
logic
Key: NUTCH-2786
URL: https://issues.apache.org/jira/browse/NUTCH-2786
Project: Nutch
Issue Type: Improvement
Reporter: Md Mahir Asef Kabir
* *Vulnerability Description:* In
“src/plugin/protocol-httpclient/src/java/org/apache/nutch/protocol/httpclient/DummyX509TrustManager.java”
overridden TrustManager methods (i.e. checkClientTrusted and
checkServerTrusted) do not have validation logic for certificates.
* *Reason it’s vulnerable:* It is vulnerable because DummyX509TrustManager
implements X509TrustManager and it overrides the standard TrustManager methods
(i.e. checkClientTrusted and checkServerTrusted) to do nothing but returning
hard-coded *true*. Certificate validation is expected to be handled by these
methods. Doing nothing means no verification.
* *Suggested Fix:* Adding necessary certificate verification logic in the
overridden methods.
* *Feedback:* Please select any of the options down below to help us get an
idea about how you felt about the suggestion -
# Liked it and will make the suggested changes
# Liked it but happy with the existing version
# Didn’t find the suggestion helpful
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
