# Copied over from the desktop consolidation, which has the comment:

# date:2011-02-16 owner:liyuan type bug bugster:7008664

# Bugster CR #7008664 is now BugDB CR #15688660

# 15688660 SUNBT7008664-SOLARIS_11 CVE-2010-2074 w3m problems handling x.509 data

#

# This patch needs to be evaluated to see if it needs to be passed upstream.

--- w3m-0.5.2/istream.c	2007-05-23 23:06:05.000000000 +0800

+++ w3m-0.5.3/istream.c	2011-01-04 17:22:22.000000000 +0800

@@ -1,4 +1,4 @@

-/* $Id: istream.c,v 1.26 2007/05/23 15:06:05 inu Exp $ */

+/* $Id: istream.c,v 1.27 2010/07/18 13:43:23 htrb Exp $ */

 #include "fm.h"

 #include "myctype.h"

 #include "istream.h"

@@ -447,8 +447,17 @@

 		    if (!seen_dnsname)

 			seen_dnsname = Strnew();

+		    /* replace \0 to make full string visible to user */

+		    if (sl != strlen(sn)) {

+			int i;

+			for (i = 0; i < sl; ++i) {

+			    if (!sn[i])

+				sn[i] = '!';

+			}

+		    }

 		    Strcat_m_charp(seen_dnsname, sn, " ", NULL);

-		    if (ssl_match_cert_ident(sn, sl, hostname))

+		    if (sl == strlen(sn) /* catch \0 in SAN */

+			&& ssl_match_cert_ident(sn, sl, hostname))

 			break;

 		}

 	    }

@@ -466,16 +475,27 @@

     if (match_ident == FALSE && ret == NULL) {

 	X509_NAME *xn;

 	char buf[2048];

+	int slen;

 	xn = X509_get_subject_name(x);

-	if (X509_NAME_get_text_by_NID(xn, NID_commonName,

-				      buf, sizeof(buf)) == -1)

+	slen = X509_NAME_get_text_by_NID(xn, NID_commonName, buf, sizeof(buf));

+	if ( slen == -1)

 	    /* FIXME: gettextize? */

 	    ret = Strnew_charp("Unable to get common name from peer cert");

-	else if (!ssl_match_cert_ident(buf, strlen(buf), hostname))

+	else if (slen != strlen(buf)

+		|| !ssl_match_cert_ident(buf, strlen(buf), hostname)) {

+	    /* replace \0 to make full string visible to user */

+	    if (slen != strlen(buf)) {

+		int i;

+		for (i = 0; i < slen; ++i) {

+		    if (!buf[i])

+			buf[i] = '!';

+		}

+	    }

 	    /* FIXME: gettextize? */

 	    ret = Sprintf("Bad cert ident %s from %s", buf, hostname);

+	}

 	else

 	    match_ident = TRUE;

     }