Bugfix: wildcard matching can be wrong in certain cases (#56)

* Make sure '*.ap.com' does not pretend to be applicable to 'coinmarketcap.com' * style * fix
spatie · Feb 5, 2018 · 14fda84 · 14fda84
1 parent cba02a5
commit 14fda84
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 2 deletions.
diff --git a/src/SslCertificate.php b/src/SslCertificate.php
@@ -186,9 +186,17 @@ protected function wildcardHostCoversHost(string $wildcardHost, string $host): b
             return false;
         }
 
-        $wildcardHostWithoutWildcard = substr($wildcardHost, 2);
+        if (substr_count($wildcardHost, '.') < substr_count($host, '.')) {
+            return false;
+        }
+
+        $wildcardHostWithoutWildcard = substr($wildcardHost, 1);
+        $hostWithDottedPrefix = '.'.$host;
+        if (ends_with($hostWithDottedPrefix, $wildcardHostWithoutWildcard)) {
+            return true;
+        }
 
-        return substr_count($wildcardHost, '.') >= substr_count($host, '.') && ends_with($host, $wildcardHostWithoutWildcard);
+        return false;
     }
 
     public function getRawCertificateFieldsJson(): string

diff --git a/tests/SslCertificateTest.php b/tests/SslCertificateTest.php
@@ -255,4 +255,14 @@ public function it_can_be_encoded_as_json()
 
         $this->assertGreaterThan(1000, strlen($serializable));
     }
+
+    /** @test */
+    public function does_not_notify_on_wrong_domains()
+    {
+        $rawCertificateFields = json_decode(file_get_contents(__DIR__.'/stubs/certificateWithRandomWildcardDomains.json'), true);
+
+        $this->certificate = new SslCertificate($rawCertificateFields);
+
+        $this->assertFalse($this->certificate->appliesToUrl('https://coinmarketcap.com'));
+    }
 }
diff --git a/tests/stubs/certificateWithRandomWildcardDomains.json b/tests/stubs/certificateWithRandomWildcardDomains.json
@@ -0,0 +1 @@
+{"name":"\/CN=somerandom.tld","subject":{"CN":"somerandom.tld"},"hash":"374a1154","issuer":{"C":"US","O":"Let's Encrypt","CN":"Let's Encrypt Authority X3"},"version":2,"serialNumber":"267977138471675133728493439824231787816484","validFrom":"160519165000Z","validTo":"160817165000Z","validFrom_time_t":1463676600,"validTo_time_t":1471452600,"signatureTypeSN":"RSA-SHA256","signatureTypeLN":"sha256WithRSAEncryption","signatureTypeNID":668,"purposes":{"1":[true,false,"sslclient"],"2":[true,false,"sslserver"],"3":[true,false,"nssslserver"],"4":[false,false,"smimesign"],"5":[false,false,"smimeencrypt"],"6":[false,false,"crlsign"],"7":[true,true,"any"],"8":[true,false,"ocsphelper"]},"extensions":{"keyUsage":"Digital Signature, Key Encipherment","extendedKeyUsage":"TLS Web Server Authentication, TLS Web Client Authentication","basicConstraints":"CA:FALSE","subjectKeyIdentifier":"2E:D7:F6:B0:5C:89:EB:58:71:F8:B8:6D:02:5C:FE:22:90:C6:65:E0","authorityKeyIdentifier":"keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1\n","authorityInfoAccess":"OCSP - URI:http:\/\/ocsp.int-x3.letsencrypt.org\/\nCA Issuers - URI:http:\/\/cert.int-x3.letsencrypt.org\/\n","subjectAltName":"DNS:somerandom.tld, DNS:www.somerandom.tld, DNS:com, DNS:it, DNS:*.ap.com","certificatePolicies":"Policy: 2.23.140.1.2.1\nPolicy: 1.3.6.1.4.1.44947.1.1.1\n  CPS: http:\/\/cps.letsencrypt.org\n  User Notice:\n    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https:\/\/letsencrypt.org\/repository\/\n"}}