Ubuntu
firefox-3.0 package

  1. Bug #376484
  2. Comment #16

Comment 16 for bug 376484

Revision history for this message
In , Mozbugzilla (mozbugzilla) wrote :

Created an attachment (id=288137)
Minimal patch (addresses item b in comment 6)

(In reply to comment #15)
> If anyone would like to write a patch,

Here's a patch which I would call "minimal" in the sense that it tries to maintain backward compatibility as far as possible (i.e. it still supports all those patterns mentioned in comment 13).

Specifically, the patch changes these two things:

- in cert_TestHostName(), it makes sure that the '*' character is only considered for wildcard matching if it occurs in the leftmost DNS name component (otherwise, it's just compared as a literal character)

- modifies _shexp_match() to not match the '.' character when using doing wildcard matching with '*'

I will also attach a short test program I used to verify the results of the new code. It's a bit more liberal than what RFCs 2595 and 4513 suggest ("THE left-most name component" implies that things like "www*.example.com", "w*w.example.com", "w*w**w.example.com" aren't valid wildcard expressions), but I don't think it hurts if we allow them for the time being.

> Alternatively, we can move nss/lib/util/portreg.{h,c} to
> nss/lib/certdb so that the PORT_RegExpCaseSearch doesn't need
> to be exported from the new libnssutil3.so shared library in
> NSS 3.12.

I would warmly recommend that - and also change the names of the three PORT_RegExpXXX() wrapper functions at that time... they are quite big misnomers, since the code doesn't do any regex matching at all (just zsh-like wildcard matching - other copies of this code living in the Mozilla tree use better names like "NS_WildCardMatch()"). If the code is left in lib/util, then at least the names should be changed - exporting PORT_RegExpCaseSearch as a public function from libnssutil3 seems like a bad idea to me.

In a further step, cert_TestHostName() could be actually modified to not rely on PORT_RegExpCaseSearch() any longer, in my opinion (or is there any need for supporting shell-style matching besides the '*' character?). Provided that there is a consensus in the NSS team on what exactly should be implemented, I would be willing to give it a try.

What are the chances of getting this into 3.12 (and Fx 3, therefore)? Whom can/should I ask for review?