[JBoss JIRA] (WFCORE-4302) SNI wildcard mappings match multiple level of subdomain

Friday, 31 May 2019

    [
https://issues.jboss.org/browse/WFCORE-4302?page=com.atlassian.jira.plugi...
] 

Diana Vilkolakova edited comment on WFCORE-4302 at 5/31/19 11:14 AM:
---------------------------------------------------------------------

[~dlofthouse] This relates to my recent changes in such a way, that this complex regex
[~jstourac]  used in the comment above : "[^.]*\\.example\\.com"  is not allowed
now. Only regexes with quare brackets, dots, question marks and asterisks are allowed. The
character '^' will not pass and nothing except dot can be escaped, so eg. \W for
nonword characters is also not allowed. I don't think such complex regexes would be
used by users, but as [~dlofthouse] suggested, we will keep current validation and look
for user comments / bug reports. Validation for all possible regexes seems unnecessary.

was (Author: dvilkola):
[~dlofthouse] This relates to my recent changes in such a way, that this complex regex
[~jstourac]  used in the comment above : "[^.]*\\.example\\.com"  is not allowed
now. Only regexes with quare brackets, dots, question marks and asterisks are allowed. The
character '^' will not pass and nothing except dot can be escaped, so eg. \W for
nonword characters is also not allowed. I don't think such complex regexes would be
used by users, but as [~dlofthouse] suggested, we will keep current validation and look
for user comments / bug reports.

...
 SNI wildcard mappings match multiple level of subdomain
 -------------------------------------------------------

                 Key: WFCORE-4302
                 URL: https://issues.jboss.org/browse/WFCORE-4302
             Project: WildFly Core
          Issue Type: Bug
          Components: Security
    Affects Versions: 7.0.0.Final
         Environment: Wildfly build with undertow and wildfly-core modules build from
following sources:
 * https://github.com/stuartwdouglas/undertow/tree/sni
 * https://github.com/stuartwdouglas/wildfly-core/tree/sni
            Reporter: Pavel Jelinek
            Assignee: Martin Mazanek
            Priority: Major
              Labels: SNI

 Based on the [text from
analasys|https://github.com/wildfly/wildfly-proposals/blob/master/securit...]:
 {quote}
 Wildcard names use * as a wildcard, and can only be used to match a single level of
subdomain in much the same way as with wildcard certificates.
 {quote}
 As such, in case I have configured SNI mapping for:
 {code}
 .*\\.example\\.com
 {code}
 I expect that this mapping is selected for any single level of subdomain of example.com
although, in case of any extra subdomain, this mapping is not utilized. In other words,
following hostnames should match:
 {code}
 test.example.com
 another-test.example.com
 {code}
 although following should not be matched and default server-ssl-context shall be used
instead:
 {code}
 two-sublevel.one-sublevel.example.com
 {code}
 Current behaviour also matches also 'two-sublevel.one-sublevel.example.com'.

--
This message was sent by Atlassian Jira
(v7.12.1#712002)

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006