[
https://issues.jboss.org/browse/WFCORE-4302?page=com.atlassian.jira.plugi...
]
Diana Vilkolakova edited comment on WFCORE-4302 at 5/31/19 11:14 AM:
---------------------------------------------------------------------
[~dlofthouse] This relates to my recent changes in such a way, that this complex regex
[~jstourac] used in the comment above : "[^.]*\\.example\\.com" is not allowed
now. Only regexes with quare brackets, dots, question marks and asterisks are allowed. The
character '^' will not pass and nothing except dot can be escaped, so eg. \W for
nonword characters is also not allowed. I don't think such complex regexes would be
used by users, but as [~dlofthouse] suggested, we will keep current validation and look
for user comments / bug reports. Validation for all possible regexes seems unnecessary.
was (Author: dvilkola):
[~dlofthouse] This relates to my recent changes in such a way, that this complex regex
[~jstourac] used in the comment above : "[^.]*\\.example\\.com" is not allowed
now. Only regexes with quare brackets, dots, question marks and asterisks are allowed. The
character '^' will not pass and nothing except dot can be escaped, so eg. \W for
nonword characters is also not allowed. I don't think such complex regexes would be
used by users, but as [~dlofthouse] suggested, we will keep current validation and look
for user comments / bug reports.
SNI wildcard mappings match multiple level of subdomain
-------------------------------------------------------
Key: WFCORE-4302
URL:
https://issues.jboss.org/browse/WFCORE-4302
Project: WildFly Core
Issue Type: Bug
Components: Security
Affects Versions: 7.0.0.Final
Environment: Wildfly build with undertow and wildfly-core modules build from
following sources:
*
https://github.com/stuartwdouglas/undertow/tree/sni
*
https://github.com/stuartwdouglas/wildfly-core/tree/sni
Reporter: Pavel Jelinek
Assignee: Martin Mazanek
Priority: Major
Labels: SNI
Based on the [text from
analasys|https://github.com/wildfly/wildfly-proposals/blob/master/securit...]:
{quote}
Wildcard names use * as a wildcard, and can only be used to match a single level of
subdomain in much the same way as with wildcard certificates.
{quote}
As such, in case I have configured SNI mapping for:
{code}
.*\\.example\\.com
{code}
I expect that this mapping is selected for any single level of subdomain of
example.com
although, in case of any extra subdomain, this mapping is not utilized. In other words,
following hostnames should match:
{code}
test.example.com
another-test.example.com
{code}
although following should not be matched and default server-ssl-context shall be used
instead:
{code}
two-sublevel.one-sublevel.example.com
{code}
Current behaviour also matches also 'two-sublevel.one-sublevel.example.com'.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)