hsts: make the HSTS read callback handle name dupes#21201
hsts: make the HSTS read callback handle name dupes#21201
Conversation
This comment was marked as off-topic.
This comment was marked as off-topic.
There was a problem hiding this comment.
Pull request overview
This PR aligns HSTS entry de-duplication behavior between HSTS file loading and the CURLOPT_HSTSREADFUNCTION callback path, ensuring consistent selection of the longest expiry and strictest includeSubDomains policy, while normalizing hostnames from the callback.
Changes:
- Refactors shared “add HSTS host + expiry” logic into a helper used by both file parsing and callback ingestion.
- Normalizes callback-provided hostnames by stripping trailing dots and interpreting a leading dot as enabling
includeSubDomains. - Updates test 1915 to validate duplicate handling, subdomain strictness, and trailing-dot stripping.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| lib/hsts.c | Introduces shared add/update helper and uses it for both file parsing and callback loading, including hostname normalization and duplicate merge rules. |
| tests/libtest/lib1915.c | Extends callback-fed preload list to include dupes/trailing-dot/leading-dot cases and prints includeSubDomains in output. |
| tests/data/test1915 | Updates expected stdout to reflect merged entries (strictest subdomain + longest expiry). |
| docs/libcurl/opts/CURLOPT_HSTSREADFUNCTION.md | Clarifies guidance around leading/trailing dots in callback-provided hostnames. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Now the logic for handling name duplicates and picking the longest expiry and strictest subdomain is the same for the callback as for when reading from file. Also strip trailing dots from the hostname added by the callback. A minor side-effect is that the hostname provided by the callback can now enable subdomains by starting the name with a dot, but we discourage using such hostnames in documentation. Amended test 1915 to verify. Closes #21201
bagder
force-pushed
the
bagder/hsts-callback
branch
from
2c5afdd to
862ae98
Compare
🔒 Aisle Security Analysis✅ We scanned this PR and did not find any security vulnerabilities. Aisle supplements but does not replace security review. Analyzed PR: #21201 at commit Last updated on: 2026-04-02T11:37:13Z |
|
🤖 We're reviewing this PR with Aisle We're running a security check on the changes in this PR now. This usually takes a few minutes. ⌛ Progress:
Latest run failed. Keeping previous successful results. Trace ID: Last updated on: 2026-04-02T12:33:10Z |
Now the logic for handling name duplicates and picking the longest expiry and strictest subdomain is the same for the callback as for when reading from file.
Also strip trailing dots from the hostname added by the callback.
A minor side-effect is that the hostname provided by the callback can now enable subdomains by starting the name with a dot, but we discourage using such hostnames in documentation.
Amended test 1915 to verify.