Эхлэл Бүгдийг харах Тусламж
Бүртгүүлэх Нэвтрэх
XCAppCollection
/
XCVMKit-OS
2
0
Салаа 0
Файлууд Асуудлууд 0 Хуулах хүсэлтүүд 0 Мэдлэгийн сан
Салаа: master
Салаанууд Тагууд
XCVMKit-OS
/
package
/
qt6
/
qt6base
/
0002-Hsts-match-header-names-case-insensitively.patch

0002-Hsts-match-header-names-case-insensitively.patch 2.5 KB
Байнгын холболт Түүх Анхны өгөгдөл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657 
  1. From 5e8697e3aa4e92643c52d34aacfa26890e7d417d Mon Sep 17 00:00:00 2001
    2. 

  2. From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= <marten.nordheim@qt.io>
    3. 

  3. Date: Fri, 5 May 2023 11:07:26 +0200
    4. 

  4. Subject: [PATCH] Hsts: match header names case insensitively
    5. 

  5. 

  6. Header field names are always considered to be case-insensitive.
    7. 

  7. 

  8. Pick-to: 6.5 6.5.1 6.2 5.15
    9. 

  9. Fixes: QTBUG-113392
    10. 

  10. Change-Id: Ifb4def4bb7f2ac070416cdc76581a769f1e52b43
    11. 

  11. Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
    12. 

  12. Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
    13. 

  13. Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
    14. 

  14. 

  15. Fixes: https://security-tracker.debian.org/tracker/CVE-2023-32762
    16. 

  16. Upstream: https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
    17. 

  17. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
    18. 

  18. ---
    19. 

  19.  src/network/access/qhsts.cpp                 | 4 ++--
    20. 

  20.  tests/auto/network/access/hsts/tst_qhsts.cpp | 6 ++++++
    21. 

  21.  2 files changed, 8 insertions(+), 2 deletions(-)
    22. 

  22. 

  23. diff --git a/src/network/access/qhsts.cpp b/src/network/access/qhsts.cpp
    24. 

  24. index 39905f35480..82deede1729 100644
    25. 

  25. --- a/src/network/access/qhsts.cpp
    26. 

  26. +++ b/src/network/access/qhsts.cpp
    27. 

  27. @@ -327,8 +327,8 @@ quoted-pair    = "\" CHAR
    28. 

  28.  bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> &headers)
    29. 

  29.  {
    30. 

  30.      for (const auto &h : headers) {
    31. 

  31. -        // We use '==' since header name was already 'trimmed' for us:
    32. 

  32. -        if (h.first == "Strict-Transport-Security") {
    33. 

  33. +        // We compare directly because header name was already 'trimmed' for us:
    34. 

  34. +        if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) {
    35. 

  35.              header = h.second;
    36. 

  36.              // RFC6797, 8.1:
    37. 

  37.              //
    38. 

  38. diff --git a/tests/auto/network/access/hsts/tst_qhsts.cpp b/tests/auto/network/access/hsts/tst_qhsts.cpp
    39. 

  39. index 252f5e8f579..97a2d2889e5 100644
    40. 

  40. --- a/tests/auto/network/access/hsts/tst_qhsts.cpp
    41. 

  41. +++ b/tests/auto/network/access/hsts/tst_qhsts.cpp
    42. 

  42. @@ -216,6 +216,12 @@ void tst_QHsts::testSTSHeaderParser()
    43. 

  43.      QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc());
    44. 

  44.      QVERIFY(parser.includeSubDomains());
    45. 

  45.  
    46. 

  46. +    list.pop_back();
    47. 

  47. +    list << Header("strict-transport-security", "includeSubDomains;max-age=1000");
    48. 

  48. +    QVERIFY(parser.parse(list));
    49. 

  49. +    QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc());
    50. 

  50. +    QVERIFY(parser.includeSubDomains());
    51. 

  51. +
    52. 

  52.      list.pop_back();
    53. 

  53.      // Invalid (includeSubDomains twice):
    54. 

  54.      list << Header("Strict-Transport-Security", "max-age = 1000 ; includeSubDomains;includeSubDomains");
    55. 

  55. -- 
    56. 

  56. 2.46.0
    57. 

  57.