luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hsts: improve subdomain handling

Browse Source 
- on load, only replace existing HSTS entries if there is a full host
  match

- on matching, prefer a full host match and secondary the longest tail
  subdomain match

Closes #15210
This commit is contained in:
Daniel Stenberg 2024-10-09 10:04:35 +02:00
parent 461ce6c616
commit a94973805d
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
2 changed files with 11 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
lib/hsts.c
View File

@ -249,11 +249,13 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname,
struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
bool subdomain)
{
struct stsentry *bestsub = NULL;
if(h) {
time_t now = time(NULL);
size_t hlen = strlen(hostname);
struct Curl_llist_node *e;
struct Curl_llist_node *n;
size_t blen = 0;
if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
return NULL;
@ -275,15 +277,19 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
if((subdomain && sts->includeSubDomains) && (ntail < hlen)) {
size_t offs = hlen - ntail;
if((hostname[offs-1] == '.') &&
strncasecompare(&hostname[offs], sts->host, ntail))
return sts;
strncasecompare(&hostname[offs], sts->host, ntail) &&
(ntail > blen)) {
/* save the tail match with the longest tail */
bestsub = sts;
blen = ntail;
}
}
/* avoid strcasecompare because the host name is not null terminated */
if((hlen == ntail) && strncasecompare(hostname, sts->host, hlen))
return sts;
}
}
return NULL; /* no match */
return bestsub;
}
/*
@ -435,7 +441,7 @@ static CURLcode hsts_add(struct hsts *h, char *line)
e = Curl_hsts(h, p, subdomain);
if(!e)
result = hsts_create(h, p, subdomain, expires);
else {
else if(strcasecompare(p, e->host)) {
/* the same hostname, use the largest expire time */
if(expires > e->expires)
e->expires = expires;

2
tests/data/test1660
View File

@ -52,7 +52,7 @@ this.example [this.example]: 1548400797
Input 12: error 43
Input 13: error 43
Input 14: error 43
3.example.com [example.com]: 1569905261 includeSubDomains
3.example.com [3.example.com]: 1569905261 includeSubDomains
3.example.com [example.com]: 1569905261 includeSubDomains
foo.example.com [example.com]: 1569905261 includeSubDomains
'foo.xample.com' is not HSTS