Skip to content

hsts: when a dupe host adds subdomains, use that#21108

Closed
bagder wants to merge 1 commit intomasterfrom
bagder/hsts-dupe
Closed

hsts: when a dupe host adds subdomains, use that#21108
bagder wants to merge 1 commit intomasterfrom
bagder/hsts-dupe

Conversation

@bagder
Copy link
Copy Markdown
Member

@bagder bagder commented Mar 26, 2026

Otherwise a weaker earlier entry is allowed to override a later more restrictive one.

Add test 1638 to verify.

@github-actions github-actions bot added the tests label Mar 26, 2026
@bagder bagder marked this pull request as ready for review March 26, 2026 16:32
@bagder bagder requested a review from Copilot March 26, 2026 16:32
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes HSTS cache parsing so that when duplicate host entries are loaded, a later (or duplicate) entry that enables includeSubDomains cannot be weakened by an earlier entry, and it adds a regression test to validate the behavior.

Changes:

  • Update HSTS cache load logic to keep the strictest includeSubDomains policy when merging duplicate hosts.
  • Normalize hostnames read from the HSTS cache file (strip leading dot marker and any trailing dot).
  • Add new test test1638 and register it in the test list.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
lib/hsts.c Merges duplicate cache entries using max expiry while preserving the strictest subdomain policy; trims trailing dot when loading from file.
lib/curlx/strparse.c Adds curlx_str_trim() helper used for trimming parsed Curl_str values.
lib/curlx/strparse.h Exposes the curlx_str_trim() prototype.
tests/data/test1638 New regression test covering duplicate HSTS entries where the later entry adds subdomains.
tests/data/Makefile.am Adds test1638 to the known test list.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread tests/data/test1638
Comment thread tests/data/test1638 Outdated
Comment thread lib/curlx/strparse.c
@testclutch
Copy link
Copy Markdown

testclutch commented Mar 26, 2026

Analysis of PR #21108 at 9f9c1ed2:

Test 1638 failed, which has NOT been flaky recently, so there could be a real issue in this PR. Note that this test has failed in 84 different CI jobs (the link just goes to one of them).

Generated by Testclutch

@bagder
hsts: when a dupe host adds subdomains, use that
353f8fc 
Otherwise a weaker earlier entry is allowed to override a later more
restrictive one.

Add test 1638 to verify.

Closes #21108
@bagder bagder force-pushed the bagder/hsts-dupe branch from cf97c59 to 353f8fc Compare March 26, 2026 21:22
@bagder bagder closed this in e1fdbdd Mar 26, 2026
@bagder bagder deleted the bagder/hsts-dupe branch March 26, 2026 22:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

tests

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bagder @testclutch