summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorPeter Hartmann <peter.hartmann@nokia.com>2010-08-10 11:59:57 (GMT)
committerJesper Thomschutz <jesper.thomschutz@nokia.com>2010-08-11 08:41:18 (GMT)
commitb5ab5d8c59b1cfbf762ea584af65ec776f9f1b95 (patch)
tree133d0c0f30c0252605595e647f76d6c366df6fdb /src
parente0167ee787bd0d28a9de0278c3f70f30151e2be6 (diff)
downloadQt-b5ab5d8c59b1cfbf762ea584af65ec776f9f1b95.zip
Qt-b5ab5d8c59b1cfbf762ea584af65ec776f9f1b95.tar.gz
Qt-b5ab5d8c59b1cfbf762ea584af65ec776f9f1b95.tar.bz2
QSslSocket: fix security vulnerability with wildcard IP addresses
This fixes Westpoint Security issue with Advisory ID#: wp-10-0001. Before, we would allow wildcards in IP addresses like *.2.3.4 ; now, IP addresses must match excatly. Patch-by: Richard J. Moore <rich@kde.org> Task-number: QT-3704 (cherry picked from commit 846f1b44eea4bb34d080d055badb40a4a13d369e)
Diffstat (limited to 'src')
-rw-r--r--src/network/ssl/qsslsocket_openssl.cpp5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index f181206..2fd9901 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -1282,6 +1282,11 @@ bool QSslSocketBackendPrivate::isMatchingHostname(const QString &cn, const QStri
if (hostname.midRef(hostname.indexOf(QLatin1Char('.'))) != cn.midRef(firstCnDot))
return false;
+ // Check if the hostname is an IP address, if so then wildcards are not allowed
+ QHostAddress addr(hostname);
+ if (!addr.isNull())
+ return false;
+
// Ok, I guess this was a wildcard CN and the hostname matches.
return true;
}
generated by cgit v0.12 at 2025-08-06 17:08:42 (GMT)