diff options
author | MÃ¥rten Nordheim <marten.nordheim@qt.io> | 2023-05-05 11:07:26 +0200 |
---|---|---|
committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2023-05-09 05:36:22 +0000 |
commit | 175ebe0b6aa1872c9e3d08da2891f9cff427e7d4 (patch) | |
tree | 6996f72c3c7250b9d0519923f0f8d91eebab58db | |
parent | b44dcfa1ee64b7a9036ab20597f107c14cce19dc (diff) | |
download | qtbase-175ebe0b6aa1872c9e3d08da2891f9cff427e7d4.tar.gz |
Hsts: match header names case insensitively
Header field names are always considered to be case-insensitive.
Fixes: QTBUG-113392
Change-Id: Ifb4def4bb7f2ac070416cdc76581a769f1e52b43
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit 1b736a815be0222f4b24289cf17575fc15707305)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
-rw-r--r-- | src/network/access/qhsts.cpp | 4 | ||||
-rw-r--r-- | tests/auto/network/access/hsts/tst_qhsts.cpp | 6 |
2 files changed, 8 insertions, 2 deletions
diff --git a/src/network/access/qhsts.cpp b/src/network/access/qhsts.cpp index 39905f3548..82deede172 100644 --- a/src/network/access/qhsts.cpp +++ b/src/network/access/qhsts.cpp @@ -327,8 +327,8 @@ quoted-pair = "\" CHAR bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> &headers) { for (const auto &h : headers) { - // We use '==' since header name was already 'trimmed' for us: - if (h.first == "Strict-Transport-Security") { + // We compare directly because header name was already 'trimmed' for us: + if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) { header = h.second; // RFC6797, 8.1: // diff --git a/tests/auto/network/access/hsts/tst_qhsts.cpp b/tests/auto/network/access/hsts/tst_qhsts.cpp index 252f5e8f57..97a2d2889e 100644 --- a/tests/auto/network/access/hsts/tst_qhsts.cpp +++ b/tests/auto/network/access/hsts/tst_qhsts.cpp @@ -217,6 +217,12 @@ void tst_QHsts::testSTSHeaderParser() QVERIFY(parser.includeSubDomains()); list.pop_back(); + list << Header("strict-transport-security", "includeSubDomains;max-age=1000"); + QVERIFY(parser.parse(list)); + QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc()); + QVERIFY(parser.includeSubDomains()); + + list.pop_back(); // Invalid (includeSubDomains twice): list << Header("Strict-Transport-Security", "max-age = 1000 ; includeSubDomains;includeSubDomains"); QVERIFY(!parser.parse(list)); |