Created an attachment (id=288681)
Alternative patch for (more restrictive) wildcard matching
(In reply to [my own] comment #16)
> In a further step, cert_TestHostName() could be actually modified to not rely
> on PORT_RegExpCaseSearch() any longer, in my opinion (or is there any need for
> supporting shell-style matching besides the '*' character?).
Here's an alternative patch (for cert_TestHostName) which implements a more "radical" solution, by further limiting the cases where '*' is interpreted as a wildcard character. From the explanation in the source:
/* for a cn pattern to be considered valid, the wildcard character...
- may occur in the first component only, and must be its last character
- may occur only once
- may be preceded by additional characters
*/
Of course this is (still) in line with RFCs 2595, 2818 and 4513, and has the advantage of no longer depending on PORT_RegExpCaseSearch (so portreg.{h,c} could actually be dropped from NSS, since cert_TestHostName is its only caller).
Can somebody (Nelson?) advise on how I should proceed? Is this patch acceptable for review, or would it also need to cover the changes to lib/util? Thanks for any guidance.
Created an attachment (id=288681)
Alternative patch for (more restrictive) wildcard matching
(In reply to [my own] comment #16) Search( ) any longer, in my opinion (or is there any need for
> In a further step, cert_TestHostName() could be actually modified to not rely
> on PORT_RegExpCase
> supporting shell-style matching besides the '*' character?).
Here's an alternative patch (for cert_TestHostName) which implements a more "radical" solution, by further limiting the cases where '*' is interpreted as a wildcard character. From the explanation in the source:
/* for a cn pattern to be considered valid, the wildcard character...
- may occur in the first component only, and must be its last character
- may occur only once
- may be preceded by additional characters
*/
Of course this is (still) in line with RFCs 2595, 2818 and 4513, and has the advantage of no longer depending on PORT_RegExpCase Search (so portreg.{h,c} could actually be dropped from NSS, since cert_TestHostName is its only caller).
Can somebody (Nelson?) advise on how I should proceed? Is this patch acceptable for review, or would it also need to cover the changes to lib/util? Thanks for any guidance.