diff options
author | Peter Hartmann <peter.hartmann@nokia.com> | 2010-08-10 11:59:57 (GMT) |
---|---|---|
committer | Peter Hartmann <peter.hartmann@nokia.com> | 2010-08-10 12:31:43 (GMT) |
commit | 87c62128266a4e2289c1854e35aba3fc17d44045 (patch) | |
tree | 3936623d671e741d95c4dcb33e7ce0ee2f9f8a74 /src/network/ssl | |
parent | b5f95fbf615b113e3e6d2b42f6b84309d6588b1f (diff) | |
download | Qt-87c62128266a4e2289c1854e35aba3fc17d44045.zip Qt-87c62128266a4e2289c1854e35aba3fc17d44045.tar.gz Qt-87c62128266a4e2289c1854e35aba3fc17d44045.tar.bz2 |
QSslSocket: fix security vulnerability with wildcard IP addresses
This fixes Westpoint Security issue with Advisory ID#: wp-10-0001.
Before, we would allow wildcards in IP addresses like *.2.3.4 ; now,
IP addresses must match excatly.
Patch-by: Richard J. Moore <rich@kde.org>
Task-number: QT-3704
Diffstat (limited to 'src/network/ssl')
-rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index 103a7ef..625d739 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -992,6 +992,11 @@ bool QSslSocketBackendPrivate::isMatchingHostname(const QString &cn, const QStri if (hostname.midRef(hostname.indexOf(QLatin1Char('.'))) != cn.midRef(firstCnDot)) return false; + // Check if the hostname is an IP address, if so then wildcards are not allowed + QHostAddress addr(hostname); + if (!addr.isNull()) + return false; + // Ok, I guess this was a wildcard CN and the hostname matches. return true; } |