Bug#781745: libwvstreams4.6-extras: Not handling whitespace in x509 extensions
Package: libwvstreams4.6-extras
Version: 4.6.1-5
Severity: normal
Dear Maintainer,
When using wvx509, and calling the get_ocsp or get_crl_urls methods the URI lines are not parsed properly if there is leading whitespace.
Example line: " URI:ldap://ldap01.dimc.dhs.gov/cn=CRL3167,ou=DHS%20CA4,ou=Certification%20Authorities,ou=Department%20of%20Homeland%20Security,o=U.S.%20Government,c=US?certificateRevocationList"
In the parse_stack method there is a check for the prefix: "if (strstr(stack_entry, prefix))"
and then a modification of the line to move the string pointer past that prefix: "WvString uri(stack_entry.edit() + prefix.len());"
This logic doesn't take into account the leading whitespace (which should be trimmed according to the RFC), and returns a bad string.
Actual returned string: "I:ldap://ldap01.dimc.dhs.gov/cn=CRL3167,ou=DHS%20CA4,ou=Certification%20Authorities,ou=Department%20of%20Homeland%20Security,o=U.S.%20Government,c=US?certificateRevocationList"
Expected string: "ldap://ldap01.dimc.dhs.gov/cn=CRL3167,ou=DHS%20CA4,ou=Certification%20Authorities,ou=Department%20of%20Homeland%20Security,o=U.S.%20Government,c=US?certificateRevocationList"
The strings in the parse_stack method should be trimmed of leading and trailing whitespace before the modification. I'm not sure the best way to do this with the libraries given.
-- System Information:
Debian Release: 7.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libwvstreams4.6-extras depends on:
ii libc6 2.13-38+deb7u8
ii libdbus-1-3 1.6.8-1+deb7u6
ii libgcc1 1:4.7.2-5
ii libpam0g 1.1.3-7.1
ii libssl1.0.0 1.0.1e-2+deb7u16
ii libstdc++6 4.7.2-5
ii libwvstreams4.6-base 4.6.1-5
ii zlib1g 1:1.2.7.dfsg-13
libwvstreams4.6-extras recommends no packages.
libwvstreams4.6-extras suggests no packages.
-- no debconf information
Reply to: