[
https://issues.apache.org/jira/browse/CMIS-1112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17270804#comment-17270804
]
Florent Guillaume commented on CMIS-1112:
-----------------------------------------
This is a bug/issue tracker, it's not an appropriate venue for such questions.
Please use the [dev
mailing-list|http://mail-archives.apache.org/mod_mbox/chemistry-dev/] if you
want to reach developers.
> Customized HostnameVerifier bypasses the hostname verification
> --------------------------------------------------------------
>
> Key: CMIS-1112
> URL: https://issues.apache.org/jira/browse/CMIS-1112
> Project: Chemistry
> Issue Type: Improvement
> Reporter: Ya Xiao
> Priority: Major
> Labels: patch, security
>
> In file
> [chemistry-opencmis/chemistry-opencmis-workbench/chemistry-opencmis-workbench/src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java|https://github.com/apache/chemistry-opencmis/blob/9e49c685af9044a64cde0ab111792d74e914f4f2/chemistry-opencmis-workbench/chemistry-opencmis-workbench/src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java]
> , the customized HostnameVerfier allows all hostname to pass the
> verification (at Line 412).
> *Security Impact*:
> Hostname Verification is required to verify the identity of the other party.
> Bypassing it could allow man-in-the-middle attacks.
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/297.html]
> *Solution we suggest:*
> Do not customize the HostnameVerifier or specify the verification logic
> instead of allowing all hostnames.
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
