[jira] [Commented] (NUTCH-2786) TrustManager methods do not have certificate validation logic

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[jira] [Commented] (NUTCH-2786) TrustManager methods do not have certificate validation logic

Steve Loughran (Jira)

    [ https://issues.apache.org/jira/browse/NUTCH-2786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17262039#comment-17262039 ]

ASF GitHub Bot commented on NUTCH-2786:

lewismc commented on pull request #524:
URL: https://github.com/apache/nutch/pull/524#issuecomment-757023226

   @AthenaXiao I'm going to close this issue off. The Class is present in quite a few places within the Nutch source. It is named appropriately and really down to the consumer how they use it. Some Javadoc would be preferred. In the absence of that, this patch is not going to be merged in its current state. Thank you

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]

> TrustManager methods do not have certificate validation logic
> -------------------------------------------------------------
>                 Key: NUTCH-2786
>                 URL: https://issues.apache.org/jira/browse/NUTCH-2786
>             Project: Nutch
>          Issue Type: Improvement
>          Components: plugin, protocol
>    Affects Versions: 1.16
>            Reporter: Md Mahir Asef Kabir
>            Priority: Major
>             Fix For: 1.18
> * *Vulnerability Description:* In “src/plugin/protocol-httpclient/src/java/org/apache/nutch/protocol/httpclient/DummyX509TrustManager.java” overridden TrustManager methods (i.e. checkClientTrusted and checkServerTrusted) do not have validation logic for certificates.
>  * *Reason it’s vulnerable:* It is vulnerable because DummyX509TrustManager implements X509TrustManager and it overrides the standard TrustManager methods (i.e. checkClientTrusted and checkServerTrusted) to do nothing but returning hard-coded *true*. Certificate validation is expected to be handled by these methods. Doing nothing means no verification.
>  * *Suggested Fix:* Adding necessary certificate verification logic in the overridden methods. This is an example code showing a format that can be used and modified appropriately to implement the certificate validation logic - https://paste.ubuntu.com/p/jWtH2yTNR8/ .
>  * *Feedback:* Please select any of the options down below to help us get an idea about how you felt about the suggestion -
>  # Liked it and will make the suggested changes
>  # Liked it but happy with the existing version
>  # Didn’t find the suggestion helpful

This message was sent by Atlassian Jira