From: Henrik Andersson <henrik.b.andersson@est.tech>
Date: Wed, 11 Mar 2020 15:52:00 +0000 (+0000)
Subject: Merge "Fix security vulnerability"
X-Git-Tag: 2.0.0~125
X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=commitdiff_plain;h=4b0fd1c37e8ed164fdcb3288861910c37027b151;p=nonrtric.git

Merge "Fix security vulnerability"
---

4b0fd1c37e8ed164fdcb3288861910c37027b151
diff --cc dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/util/HttpsURLConnectionUtils.java
index 92c552f9,32646de4..a4fbcea4
--- a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/util/HttpsURLConnectionUtils.java
+++ b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/util/HttpsURLConnectionUtils.java
@@@ -42,12 -41,14 +42,13 @@@ public final class HttpsURLConnectionUt
  
      private static final HostnameVerifier jvmHostnameVerifier = HttpsURLConnection.getDefaultHostnameVerifier();
  
-     private static final HostnameVerifier trivialHostnameVerifier = (hostname, sslSession) -> true;
+     private static final HostnameVerifier trivialHostnameVerifier =
+         (hostname, sslSession) -> hostname.equalsIgnoreCase(sslSession.getPeerHost());
  
      private static final TrustManager[] UNQUESTIONING_TRUST_MANAGER = new TrustManager[] {new X509TrustManager() {
 -        @SuppressWarnings("squid:S1168") // Must return null to get wanted behaviour.
          @Override
          public java.security.cert.X509Certificate[] getAcceptedIssuers() {
 -            return null;
 +            return new java.security.cert.X509Certificate[0];
          }
  
          @Override