Require that X.509 wildcards start with "*.",

rather than just "*", to make abuse harder.

2 files changed, 4 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index 81b2ee3c..9f429a22 100644
--- a/NEWS
+++ b/NEWS
@@ -78,6 +78,9 @@ fetchmail-6.3.18 (not yet released):
   credentials. This avoids getting servers such as Exchange 2007 wedged if
   GSSAPI authentication fails.  Reported by Patrick Rynhart, Debian Bug #568455,
   and Alan Murrell, to the fetchmail-users list.
+* Fetchmail now only accepts wildcard certificate common names and subject
+  alternative names if they start with "*.". Previous versions would accept
+  wildcards even if no period followed immediately.
 
 # CHANGES
 * When encountering incorrect headers, fetchmail will refer to the bad-header
diff --git a/socket.c b/socket.c
index 39bf2c2c..59b0112e 100644
--- a/socket.c
+++ b/socket.c
@@ -600,7 +600,7 @@ SSL *SSLGetContext( int sock )
  * The only place where a wildcard is allowed is in the leftmost
  * position of p1. */
 static int name_match(const char *p1, const char *p2) {
-    if (p1[0] == '*') {
+    if (p1[0] == '*' && p1[1] == '.') {
 	size_t l1, l2;
 
 	++p1;