[HTTPS-E Rulesets] [PATCH] Fix CACert rule to work on cacert.org without any subdomain.

Josh Triplett josh at joshtriplett.org
Sun Aug 21 15:55:34 PDT 2011


The CACert rule only ran on subdomains of cacert.org, leaving the
main cacert.org domain vulnerable.
---

Available either by "git am"ing this mail or by pulling from
git://joshtriplett.org/git/https-everywhere .

Many other rules explicitly handle both example.org and *.example.org,
and the documentation at https://www.eff.org/https-everywhere/rulesets
shows examples which handle both explicitly, so I've assumed that
*.example.org does not match example.org.  If it does, then the
documentation needs fixing.

I noticed many other rules with this bug; the following command will
find all rules which have a wildcard match but no non-wildcard match:

git grep -Fl 'host="*.' | xargs grep -L 'host="[^*]'

That may potentially miss cases which handle multiple domains including
both wildcards and non-wildcards but not all of the top-level domains
involved.

 src/chrome/content/rules/CAcert.xml |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/src/chrome/content/rules/CAcert.xml b/src/chrome/content/rules/CAcert.xml
index fbc656d..c126b92 100644
--- a/src/chrome/content/rules/CAcert.xml
+++ b/src/chrome/content/rules/CAcert.xml
@@ -1,4 +1,5 @@
 <ruleset name="CACert.org" default_off="signed by CACert itself">
+  <target host="cacert.org" />
   <target host="*.cacert.org" />
 
   <!-- this currently errs on the side of not breaking things over security -->
@@ -7,5 +8,6 @@
   <exclusion pattern="ocsp\." />
   <exclusion pattern="^http://cats\.cacert\.org/"/>
 
+  <rule from="^http://cacert\.org/" to="https://www.cacert.org/"/>
   <rule from="^http://([^/:@\.]+)\.cacert\.org/" to="https://$1.cacert.org/"/>
 </ruleset>
-- 
1.7.5.4




More information about the HTTPS-Everywhere-Rules mailing list