hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: CVE-2014-3577 postmortem
Date Fri, 22 Aug 2014 07:09:32 GMT
On Thu, 2014-08-21 at 17:50 +0200, Dirk-Willem van Gulik wrote:
> Op 21 aug. 2014, om 15:26 heeft Oleg Kalnichevski <olegk@apache.org> het volgende
geschreven:
> 
> > I have pretty much completely rewritten every bit of code related to
> > hostname verification in SVN trunk. 
> > 
> > https://github.com/apache/httpclient/tree/268d6cc113b305addc4a31a70bd7c3b6d545e337/httpclient/src/main/java/org/apache/http/conn/ssl
> > 
> > I would truly appreciate someone doing a peer review of the changes
> > and / or giving me feedback with regards to further improvements.
> 
> Looks good. Couple of thoughts
> 

Continued.

> - BAD_COUNTRY_2LDS, BAD_COUNTRY_WILDCARD_PATTERN 
> 
> My guess is that longer term you will get too many specials - and the end game is parsing
something like https://publicsuffix.org/ and specifically 
> 

Would you recommend the file be retrieved at runtime dynamically or
shipped with the application as a static resource (and updated with
every public release)? 


>  about revil regexes slipping in (e.g. ReDoS); and then causing some sort of exhaustion*.
> 
> - countDots function
> 
> Prolly no longer used.
> 

Not need and should have never been a part of public APIs in the first
place but we need to keep it for full backward compatibility.

Thank you once again.

Oleg


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message