From 07aee578a64a0732848edae7067420f566e1b8af Mon Sep 17 00:00:00 2001
From: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Date: Thu, 27 Nov 2025 15:54:31 +0100
Subject: [PATCH] CVE-2023-32762
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

commit 1b736a815be0222f4b24289cf17575fc15707305
Author: MÃ¥rten Nordheim <marten.nordheim@qt.io>
Date:   Fri May 5 11:07:26 2023 +0200

    Hsts: match header names case insensitively

    Header field names are always considered to be case-insensitive.

    Pick-to: 6.5 6.5.1 6.2 5.15
    Fixes: QTBUG-113392
    Change-Id: Ifb4def4bb7f2ac070416cdc76581a769f1e52b43
    Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
    Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
    Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>


Gbp-Pq: Name CVE-2023-32762.diff
---
 src/network/access/qhsts.cpp                 | 4 ++--
 tests/auto/network/access/hsts/tst_qhsts.cpp | 6 ++++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/network/access/qhsts.cpp b/src/network/access/qhsts.cpp
index 0cef0ad3d..be7ef7ff5 100644
--- a/src/network/access/qhsts.cpp
+++ b/src/network/access/qhsts.cpp
@@ -364,8 +364,8 @@ quoted-pair    = "\" CHAR
 bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> &headers)
 {
     for (const auto &h : headers) {
-        // We use '==' since header name was already 'trimmed' for us:
-        if (h.first == "Strict-Transport-Security") {
+        // We compare directly because header name was already 'trimmed' for us:
+        if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) {
             header = h.second;
             // RFC6797, 8.1:
             //
diff --git a/tests/auto/network/access/hsts/tst_qhsts.cpp b/tests/auto/network/access/hsts/tst_qhsts.cpp
index d72991a2e..c3c5f58c2 100644
--- a/tests/auto/network/access/hsts/tst_qhsts.cpp
+++ b/tests/auto/network/access/hsts/tst_qhsts.cpp
@@ -241,6 +241,12 @@ void tst_QHsts::testSTSHeaderParser()
     QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc());
     QVERIFY(parser.includeSubDomains());
 
+    list.pop_back();
+    list << Header("strict-transport-security", "includeSubDomains;max-age=1000");
+    QVERIFY(parser.parse(list));
+    QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc());
+    QVERIFY(parser.includeSubDomains());
+
     list.pop_back();
     // Invalid (includeSubDomains twice):
     list << Header("Strict-Transport-Security", "max-age = 1000 ; includeSubDomains;includeSubDomains");
-- 
2.30.2