[rfc][icedtea-web] restricting codebase matcher from aaaexample.com to example.com or whatever.example.com only
Jiri Vanek
jvanek at redhat.com
Mon Mar 31 19:10:03 UTC 2014
On 03/31/2014 08:51 PM, Omair Majid wrote:
> * Jiri Vanek <jvanek at redhat.com> [2014-03-31 14:31]:
>> As Omair sugested - the previous fix was to vague.
>
> Yes, I think the previous fix was too lenient. Almost a security hole.
>
>> This is doen for domain only. The paths are still eveluated as :
>> *.example.com
>> is matching whatever.example.com but not example.com nor aaaexample.com
>
> Any specific reason for this?
Yes. For doman it have sense to ignore dot, if there is nothing before jsut star.
On the other hand, the paths are not specified at all inspec (only there is nit, thet they are matched)
So I think for paths, the correct evaluationg of *.aaa mathces ONLY whatever.aaa and not jsut aaa is
mroe correct. If you think it is wrong, I can adpt.
>
>> +++ b/tests/netx/unit/net/sourceforge/jnlp/util/ClasspathMatcherTest.java Mon Mar 31 20:30:45 2014 +0200
>
>> + @Test
>> + public void dotIssueWithPaths() throws MalformedURLException {
>
> How about renaming it to something more explanatory? I am thinking of
> something like wildCardSubdomainDoesNotMatchParentDomainPaths.
I will do before push.
Pleasure on my side,
J.
More information about the distro-pkg-dev
mailing list