New issue
Advanced search Search tips

Issue 596544 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug

Blocking:
issue 596523



Sign in to add a comment

ParseCertificateDate() accepts invalid dates

Project Member Reported by eroman@chromium.org, Mar 21 2016

Issue description

In particular, date values are allowed to have a leading plus sign, by virtue of using base::StringToInt()

(In cert/x509_cert_types.cc)
 

Comment 1 by eroman@chromium.org, Mar 21 2016

Components: -Internals>Network Internals>Network>SSL

Comment 2 by eroman@chromium.org, Mar 23 2016

Owner: eroman@chromium.org
Status: Assigned (was: Untriaged)
It also allows dates to have negative time components, by virtue of not checking if the parsed result was negative.

Comment 3 by eroman@chromium.org, Mar 23 2016

.. although that is caught later by exploded.HasValidValues() so meh.

Comment 4 by eroman@chromium.org, Mar 23 2016

Actually I think it does manifest as its own bug because of:

   70   if (valid && year_length == 2)
   71     exploded.year += exploded.year < 50 ? 2000 : 1900;
   72 

Since I think if year was "-9" then year_length == 2, and the final exploded.year will be (2000-9)
Project Member

Comment 5 by bugdroid1@chromium.org, Mar 23 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1f90fcb579588d6491f04ffc586ba2bf5b2a1653

commit 1f90fcb579588d6491f04ffc586ba2bf5b2a1653
Author: eroman <eroman@chromium.org>
Date: Wed Mar 23 22:28:55 2016

Don't allow negative date components in ParseCertificateDate(), or ones starting with a plus.

BUG=596523,  596544 

Review URL: https://codereview.chromium.org/1832583002

Cr-Commit-Position: refs/heads/master@{#382949}

[modify] https://crrev.com/1f90fcb579588d6491f04ffc586ba2bf5b2a1653/net/cert/x509_cert_types.cc
[modify] https://crrev.com/1f90fcb579588d6491f04ffc586ba2bf5b2a1653/net/cert/x509_cert_types_unittest.cc

Comment 6 by eroman@chromium.org, Mar 23 2016

Status: Fixed (was: Assigned)

Sign in to add a comment