[ https://issues.apache.org/jira/browse/NUTCH-2786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17099077#comment-17099077 ]
ASF GitHub Bot commented on NUTCH-2786: --------------------------------------- AthenaXiao opened a new pull request #524: URL: https://github.com/apache/nutch/pull/524 Thanks for your contribution to [Apache Nutch](https://nutch.apache.org/)! Your help is appreciated! Before opening the pull request, please verify that * there is an open issue on the [Nutch issue tracker](https://issues.apache.org/jira/projects/NUTCH) which describes the problem or the improvement. We cannot accept pull requests without an issue because the change wouldn't be listed in the release notes. * the issue ID (`NUTCH-XXXX`) - is referenced in the title of the pull request - and placed in front of your commit messages * commits are squashed into a single one (or few commits for larger changes) * Java source code follows [Nutch Eclipse Code Formatting rules](https://github.com/apache/nutch/blob/master/eclipse-codeformat.xml) * Nutch is successfully built and unit tests pass by running `ant clean runtime test` * there should be no conflicts when merging the pull request branch into the *recent* master branch. If there are conflicts, please try to rebase the pull request branch on top of a freshly pulled master branch. We will be able to faster integrate your pull request if these conditions are met. If you have any questions how to fix your problem or about using Nutch in general, please sign up for the [Nutch mailing list](https://nutch.apache.org/mailing_lists.html). Thanks! ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > TrustManager methods do not have certificate validation logic > ------------------------------------------------------------- > > Key: NUTCH-2786 > URL: https://issues.apache.org/jira/browse/NUTCH-2786 > Project: Nutch > Issue Type: Improvement > Reporter: Md Mahir Asef Kabir > Priority: Major > > * *Vulnerability Description:* In > “src/plugin/protocol-httpclient/src/java/org/apache/nutch/protocol/httpclient/DummyX509TrustManager.java” > overridden TrustManager methods (i.e. checkClientTrusted and > checkServerTrusted) do not have validation logic for certificates. > * *Reason it’s vulnerable:* It is vulnerable because DummyX509TrustManager > implements X509TrustManager and it overrides the standard TrustManager > methods (i.e. checkClientTrusted and checkServerTrusted) to do nothing but > returning hard-coded *true*. Certificate validation is expected to be handled > by these methods. Doing nothing means no verification. > * *Suggested Fix:* Adding necessary certificate verification logic in the > overridden methods. > * *Feedback:* Please select any of the options down below to help us get an > idea about how you felt about the suggestion - > # Liked it and will make the suggested changes > # Liked it but happy with the existing version > # Didn’t find the suggestion helpful -- This message was sent by Atlassian Jira (v8.3.4#803005)