Skip to content

Fix PublicSuffixMatcherLoader#getDefault#621

Merged
ok2c merged 3 commits into
apache:masterfrom
joegallo:fix-public-suffix-matcher-loader-get-default
Mar 6, 2025
Merged

Fix PublicSuffixMatcherLoader#getDefault#621
ok2c merged 3 commits into
apache:masterfrom
joegallo:fix-public-suffix-matcher-loader-get-default

Conversation

@joegallo

@joegallo joegallo commented Mar 5, 2025

Copy link
Copy Markdown
Contributor

The code of getDefault reads like it's supposed to load the entries from PUBLIC_SUFFIX_LIST by default, but it doesn't actually work that way in practice. I think this is a bug. This works correctly on 4.x, but the list there already starts with a leading slash:

This was sneaking past the tests, because the test for getDefault only checks that it isn't null, but a non-null nearly empty default PublicSuffixMatcher is still provided in the case of the url not existing, and the tests for PublicSuffixMatcher themselves reimplement the default loading logic (correctly, since they rely on ClassLoader#getResource rather than Class#getResource) and so they weren't running into the bug either.

joegallo added 3 commits March 5, 2025 16:53
since is the being resolved via Class#getResource, the path to the
file in question is absolute, not relative.
@ok2c ok2c merged commit c687247 into apache:master Mar 6, 2025
@ok2c

ok2c commented Mar 6, 2025

Copy link
Copy Markdown
Member

@joegallo That you for contributing this fix.

ok2c pushed a commit that referenced this pull request Mar 6, 2025
@ok2c

ok2c commented Mar 6, 2025

Copy link
Copy Markdown
Member

Cherry-picked to 5.4.x

@joegallo joegallo deleted the fix-public-suffix-matcher-loader-get-default branch March 6, 2025 13:37
@KeekLove

KeekLove commented Jul 8, 2025

Copy link
Copy Markdown

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27820
Will it affect httpclient4?

@arturobernalg

Copy link
Copy Markdown
Member

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27820 Will it affect httpclient4?

Only 5.4.0, 5.4.1, and 5.4.2, explicitly excluding 5.4.3

@KeekLove

KeekLove commented Jul 9, 2025

Copy link
Copy Markdown

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27820 Will it affect httpclient4?

Only 5.4.0, 5.4.1, and 5.4.2, explicitly excluding 5.4.3

Thank you so much

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants