diff options
| author | Pete Bentley <prb@google.com> | 2022-04-19 16:10:45 +0100 |
|---|---|---|
| committer | Pete Bentley <prb@google.com> | 2022-04-22 15:18:04 +0000 |
| commit | d101e9eff44dcab231b6991acfbfda521124c682 (patch) | |
| tree | 356279f7af225dcf3856a71256999d0668df52de | |
| parent | 7255b1b7b42bd289231d60009615fa8376e34f38 (diff) | |
| download | okhttp-d101e9eff44dcab231b6991acfbfda521124c682.tar.gz | |
[DO NOT MERGE] Update external/okhttp/repackaged to match source.
The fix for CVE-2021-0341 in qt-dev was cherry-picked from
pi-dev. However while the repackaged okhttp files did not
required merging for pi-dev, they *do* for qt-dev and beyond. This
change merges them in qt-dev, and qt-qpr2-dev after automerging.
Is set to do not merge as the fix was applied correctly to
rvc-dev and all branches downstream of that.
Bug: 171980069
Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases
Change-Id: Ic47bb42d68c768277be0a8677cd9830ee03ff293
| -rw-r--r-- | repackaged/okhttp/src/main/java/com/android/okhttp/internal/tls/OkHostnameVerifier.java | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/repackaged/okhttp/src/main/java/com/android/okhttp/internal/tls/OkHostnameVerifier.java b/repackaged/okhttp/src/main/java/com/android/okhttp/internal/tls/OkHostnameVerifier.java index 3cdd1bf..450e353 100644 --- a/repackaged/okhttp/src/main/java/com/android/okhttp/internal/tls/OkHostnameVerifier.java +++ b/repackaged/okhttp/src/main/java/com/android/okhttp/internal/tls/OkHostnameVerifier.java @@ -96,6 +96,11 @@ public final class OkHostnameVerifier implements HostnameVerifier { * Returns true if {@code certificate} matches {@code hostName}. */ private boolean verifyHostName(String hostName, X509Certificate certificate) { + // BEGIN Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 + if (!isPrintableAscii(hostName)) { + return false; + } + // END Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 hostName = hostName.toLowerCase(Locale.US); boolean hasDns = false; List<String> altNames = getSubjectAltNames(certificate, ALT_DNS_NAME); @@ -198,6 +203,11 @@ public final class OkHostnameVerifier implements HostnameVerifier { } // hostName and pattern are now absolute domain names. + // BEGIN Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 + if (!isPrintableAscii(pattern)) { + return false; + } + // END Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 pattern = pattern.toLowerCase(Locale.US); // hostName and pattern are now in lower case -- domain names are case-insensitive. @@ -254,4 +264,25 @@ public final class OkHostnameVerifier implements HostnameVerifier { // hostName matches pattern return true; } + + // BEGIN Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 + /** + * Returns true if the input string contains only printable 7-bit ASCII + * characters, otherwise false. + */ + private static final char DEL = 127; + static boolean isPrintableAscii(String input) { + if (input == null) { + return false; + } + for (char c : input.toCharArray()) { + // Space is illegal in a DNS name. DEL and anything less than space is non-printing so + // also illegal. Anything greater than DEL is not 7-bit. + if (c <= ' ' || c >= DEL) { + return false; + } + } + return true; + } + // END Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 } |