On Tue, Jan 31, 2012 at 10:23 AM, Erich E. Hoover <[email protected]> wrote: > On Tue, Jan 31, 2012 at 10:04 AM, Juan Lang <[email protected]> wrote: >> Sorry I didn't spot this earlier. Without this, someone who registers >> a certificate common name with an embedded NULL, like >> "codeweavers.com\0.badguy", could fool crypt32 into accepting it for a >> domain it isn't registered to, codeweavers.com in my example. > > It looks like you've just changed it to allow more than one NULL at > the end... It seems to me that the matching code already handles the > case of an embedded NULL, since it goes through the allowed_len > characters and manually checks each byte (rather than using a routine > like strcmp() which stops at NULLs).
Please forgive the "Reply to all" fail. Erich Hoover [email protected]
