Bug 1736763: Correctly parse IPv6 hosts in certificate overrides r=keeler

Differential Revision: https://phabricator.services.mozilla.com/D135617
2025-02-27 04:38:02 +00:00 · 2022-01-13 14:29:41 +00:00 · 2022-01-13 14:29:41 +00:00 · 73a91c8fd6
commit 73a91c8fd6
parent f85f79ecf5
2 changed files with 20 additions and 2 deletions
--- a/security/manager/ssl/nsCertOverrideService.cpp
+++ b/security/manager/ssl/nsCertOverrideService.cpp
@ -323,7 +323,14 @@ nsresult nsCertOverrideService::Read(const MutexAutoLock& aProofOfLock) {

    Tokenizer parser(buffer);
    nsDependentCSubstring host;
-    if (!parser.ReadUntil(Tokenizer::Token::Char(':'), host) ||
+    if (parser.CheckChar('[')) {  // this is a IPv6 address
+      parser.Record(Tokenizer::INCLUDE_LAST);
+      if (!parser.ReadUntil(Tokenizer::Token::Char(']'), host) ||
+          host.Length() == 0 || !parser.CheckChar(':')) {
+        continue;
+      }
+      parser.Claim(host);
+    } else if (!parser.ReadUntil(Tokenizer::Token::Char(':'), host) ||
               host.Length() == 0) {
      continue;
    }
--- a/security/manager/ssl/tests/unit/test_cert_override_read.js
+++ b/security/manager/ssl/tests/unit/test_cert_override_read.js
@ -48,6 +48,10 @@ function run_test() {
      cert2.sha256Fingerprint +
      "\tU\t" +
      cert2.dbKey,
+    "[::1]:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // IPv6
+      cert2.sha256Fingerprint +
+      "\tM\t" +
+      cert2.dbKey,
    "old.example.com:443\tOID.2.16.840.1.101.3.4.2.1\t" + // missing attributes (defaulted)
      cert1.sha256Fingerprint +
      "\tM\t" +
@ -129,6 +133,13 @@ function run_test() {
      bits: Ci.nsICertOverrideService.ERROR_UNTRUSTED,
      attributes: {},
    },
+    {
+      host: "[::1]",
+      port: 443,
+      cert: cert2,
+      bits: Ci.nsICertOverrideService.ERROR_MISMATCH,
+      attributes: {},
+    },
    {
      host: "example.com",
      port: 443,