[#61171] Re: [ruby-changes:33145] normal:r45224 (trunk): gc.c: fix build for testing w/o RGenGC — SASADA Koichi <ko1@...>
(2014/03/01 16:15), normal wrote:
3 messages
2014/03/01
[#61243] [ruby-trunk - Feature #9425] [PATCH] st: use power-of-two sizes to avoid slow modulo ops — normalperson@...
Issue #9425 has been updated by Eric Wong.
4 messages
2014/03/03
[#61359] [ruby-trunk - Bug #9609] [Open] [PATCH] vm_eval.c: fix misplaced RB_GC_GUARDs — normalperson@...
Issue #9609 has been reported by Eric Wong.
5 messages
2014/03/07
[#61360] Re: [ruby-trunk - Bug #9609] [Open] [PATCH] vm_eval.c: fix misplaced RB_GC_GUARDs
— SASADA Koichi <ko1@...>
2014/03/07
(2014/03/07 19:09), normalperson@yhbt.net wrote:
[#61362] Re: [ruby-trunk - Bug #9609] [Open] [PATCH] vm_eval.c: fix misplaced RB_GC_GUARDs
— Eric Wong <normalperson@...>
2014/03/07
SASADA Koichi <ko1@atdot.net> wrote:
[#61424] [REJECT?] xmalloc/xfree: reduce atomic ops w/ thread-locals — Eric Wong <normalperson@...>
I'm unsure about this. I _hate_ the extra branches this adds;
13 messages
2014/03/12
[#61466] Re: [REJECT?] xmalloc/xfree: reduce atomic ops w/ thread-locals
— SASADA Koichi <ko1@...>
2014/03/13
Hi Eric,
[#61471] Re: [REJECT?] xmalloc/xfree: reduce atomic ops w/ thread-locals
— Eric Wong <normalperson@...>
2014/03/13
SASADA Koichi <ko1@atdot.net> wrote:
[#61508] Re: [REJECT?] xmalloc/xfree: reduce atomic ops w/ thread-locals
— SASADA Koichi <ko1@...>
2014/03/15
(2014/03/14 2:12), Eric Wong wrote:
[#61509] Re: [REJECT?] xmalloc/xfree: reduce atomic ops w/ thread-locals
— Eric Wong <normalperson@...>
2014/03/15
SASADA Koichi <ko1@atdot.net> wrote:
[#61452] [ruby-trunk - Feature #9632] [Open] [PATCH 0/2] speedup IO#close with linked-list from ccan — normalperson@...
Issue #9632 has been reported by Eric Wong.
3 messages
2014/03/13
[#61496] [ruby-trunk - Feature #9638] [Open] [PATCH] limit IDs to 32-bits on 64-bit systems — normalperson@...
Issue #9638 has been reported by Eric Wong.
4 messages
2014/03/14
[#61568] hash function for global method cache — Eric Wong <normalperson@...>
I came upon this because I noticed existing st numtable worked poorly
7 messages
2014/03/17
[#61605] Re: hash function for global method cache
— SASADA Koichi <ko1@...>
2014/03/20
(2014/03/18 8:03), Eric Wong wrote:
[#61606] Re: hash function for global method cache
— Eric Wong <normalperson@...>
2014/03/20
SASADA Koichi <ko1@atdot.net> wrote:
[#61631] Re: hash function for global method cache
— =?KOI8-R?B?4NLJyiDzz8vPzM/X?= <funny.falcon@...>
2014/03/22
what's the profit from using binary tree in place of hash?
[#61632] Re: hash function for global method cache
— Eric Wong <normalperson@...>
2014/03/22
Юрий Соколов <funny.falcon@gmail.com> wrote:
[#61687] [ruby-trunk - Bug #9606] Ocassional SIGSEGV inTestException#test_machine_stackoverflow on OpenBSD — normalperson@...
Issue #9606 has been updated by Eric Wong.
3 messages
2014/03/26
[#61760] [ruby-trunk - Feature #9632] [PATCH 0/2] speedup IO#close with linked-list from ccan — normalperson@...
Issue #9632 has been updated by Eric Wong.
3 messages
2014/03/30
[ruby-core:61545] [ruby-trunk - Bug #9644] [Open] ssl hostname verification security bug: verify_certificate_identity wildcard matching allows to much
From:
Steffen.Ullrich@...
Date:
2014-03-16 22:46:33 UTC
List:
ruby-core #61545
Issue #9644 has been reported by Steffen Ullrich. ---------------------------------------- Bug #9644: ssl hostname verification security bug: verify_certificate_identity wildcard matching allows to much https://bugs.ruby-lang.org/issues/9644 * Author: Steffen Ullrich * Status: Open * Priority: Normal * Assignee: * Category: * Target version: * ruby -v: 1.9, 2.0, 2.1 * Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN ---------------------------------------- Hi, I'm not a ruby developer but the maintainer of the IO::Socket::SSL module in Perl. While comparing the state of the SSL implementations in various languages I've noticed, that your validation of the hostname inside the certificate is wrong regarding wildcards. According to the RFC2818 (http) or RFC6125 (includes http and others) only the leftmost part of the name specification might contain a wildcard, e.g `*.foo.bar` is allowed, but not `www.*.foo.bar` or even `www.*.*.*`. Unfortunatly the implementation of `verify_certificate_identity` in openssl/ssl.rb (or openssl/ssl-internal.rb in older versions) does a global substitution of `*` with `[^.]+` and thus allows wildcards anywhere and also multiple wildcards. I've verified my assumption with a certificate for `www.*.foo.*`, which got successfully verified against `www.bar.foo.org` or `www.foobar.foo.bar` on ruby 1.9.1. And, from looking at the code the current ruby version has the same problem. Also, from reading the code I understand that you use the same hostname verification for SMTP, IMAP and POP too. But the verification schemes for these protocols differ from http (see RFC2595 for SMTP, RFC4642 for IMAP and POP): * while http allows something like www*.example.com the other protocols only allow *.example.com, e.g. the the wildcard must fully replace the leftmost part of the hostname. * while with http one should not check the common name if subject alternative names exist (and you've implemented it this way), with the other protocols one check common name too. Regards, Steffen -- http://bugs.ruby-lang.org/