commit
1b736a815be0222f4b24289cf17575fc15707305
Author: MÃ¥rten Nordheim <marten.nordheim@qt.io>
Date: Fri May 5 11:07:26 2023 +0200
Hsts: match header names case insensitively
Header field names are always considered to be case-insensitive.
Pick-to: 6.5 6.5.1 6.2 5.15
Fixes: QTBUG-113392
Change-Id: Ifb4def4bb7f2ac070416cdc76581a769f1e52b43
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Gbp-Pq: Name CVE-2023-32762.diff
bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> &headers)
{
for (const auto &h : headers) {
- // We use '==' since header name was already 'trimmed' for us:
- if (h.first == "Strict-Transport-Security") {
+ // We compare directly because header name was already 'trimmed' for us:
+ if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) {
header = h.second;
// RFC6797, 8.1:
//
QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc());
QVERIFY(parser.includeSubDomains());
+ list.pop_back();
+ list << Header("strict-transport-security", "includeSubDomains;max-age=1000");
+ QVERIFY(parser.parse(list));
+ QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc());
+ QVERIFY(parser.includeSubDomains());
+
list.pop_back();
// Invalid (includeSubDomains twice):
list << Header("Strict-Transport-Security", "max-age = 1000 ; includeSubDomains;includeSubDomains");
projects / qtbase-opensource-src.git / commitdiff