[HTTPS-E Rulesets] [PATCH] Fix CACert rule to work on cacert.org without any subdomain.
Josh Triplett
josh at joshtriplett.org
Sun Aug 21 15:55:34 PDT 2011
The CACert rule only ran on subdomains of cacert.org, leaving the
main cacert.org domain vulnerable.
---
Available either by "git am"ing this mail or by pulling from
git://joshtriplett.org/git/https-everywhere .
Many other rules explicitly handle both example.org and *.example.org,
and the documentation at https://www.eff.org/https-everywhere/rulesets
shows examples which handle both explicitly, so I've assumed that
*.example.org does not match example.org. If it does, then the
documentation needs fixing.
I noticed many other rules with this bug; the following command will
find all rules which have a wildcard match but no non-wildcard match:
git grep -Fl 'host="*.' | xargs grep -L 'host="[^*]'
That may potentially miss cases which handle multiple domains including
both wildcards and non-wildcards but not all of the top-level domains
involved.
src/chrome/content/rules/CAcert.xml | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/src/chrome/content/rules/CAcert.xml b/src/chrome/content/rules/CAcert.xml
index fbc656d..c126b92 100644
--- a/src/chrome/content/rules/CAcert.xml
+++ b/src/chrome/content/rules/CAcert.xml
@@ -1,4 +1,5 @@
<ruleset name="CACert.org" default_off="signed by CACert itself">
+ <target host="cacert.org" />
<target host="*.cacert.org" />
<!-- this currently errs on the side of not breaking things over security -->
@@ -7,5 +8,6 @@
<exclusion pattern="ocsp\." />
<exclusion pattern="^http://cats\.cacert\.org/"/>
+ <rule from="^http://cacert\.org/" to="https://www.cacert.org/"/>
<rule from="^http://([^/:@\.]+)\.cacert\.org/" to="https://$1.cacert.org/"/>
</ruleset>
--
1.7.5.4
More information about the HTTPS-Everywhere-Rules
mailing list