[HTTPS-E Rulesets] [PATCH] Fix Gravatar rule to work on gravatar.org without any subdomain.
Josh Triplett
josh at joshtriplett.org
Sun Aug 21 15:56:06 PDT 2011
The Gravatar rule only ran on subdomains of gravatar.org, leaving the
main gravatar.org domain vulnerable.
---
Available either by "git am"ing this mail or by pulling from
git://joshtriplett.org/git/https-everywhere .
Many other rules explicitly handle both example.org and *.example.org,
and the documentation at https://www.eff.org/https-everywhere/rulesets
shows examples which handle both explicitly, so I've assumed that
*.example.org does not match example.org. If it does, then the
documentation needs fixing.
I noticed many other rules with this bug; the following command will
find all rules which have a wildcard match but no non-wildcard match:
git grep -Fl 'host="*.' | xargs grep -L 'host="[^*]'
That may potentially miss cases which handle multiple domains including
both wildcards and non-wildcards but not all of the top-level domains
involved.
src/chrome/content/rules/Gravatar.xml | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/src/chrome/content/rules/Gravatar.xml b/src/chrome/content/rules/Gravatar.xml
index b6b02de..6fb1392 100644
--- a/src/chrome/content/rules/Gravatar.xml
+++ b/src/chrome/content/rules/Gravatar.xml
@@ -1,4 +1,5 @@
<ruleset name="Gravatar">
+ <target host="gravatar.com" />
<target host="*.gravatar.com" />
<rule from="^http://((www|en|s|secure|0|1|2)\.)?gravatar\.com/" to="https://secure.gravatar.com/"/>
--
1.7.5.4
More information about the HTTPS-Everywhere-Rules
mailing list