if rp doesn't provide scheme or port, then ignore them in testing for audience match: issue #500

f9a1a3d5 · Lloyd Hilaiel · f580eef2 · f9a1a3d5
Commit f9a1a3d5 authored 13 years ago by Lloyd Hilaiel
--- a/verifier/lib/certassertion.js
+++ b/verifier/lib/certassertion.js
@@ -142,6 +142,8 @@ function retrieveHostPublicKey(host, successCB, errorCB) {
 //   it might be strangely formed.
 function compareAudiences(want, got) {
  try {
+    var checkHostOnly = false;
+
    // issue #82 - for a limited time, let's allow got to be sloppy and omit scheme
    // in which case we guess a scheme based on port
    if (!/^https?:\/\//.test(got)) {
@@ -149,6 +151,7 @@ function compareAudiences(want, got) {
      var scheme = "http";
      if (x.length === 2 && x[1] === '443') scheme = "https";
      got = scheme + "://" + got;
+      checkHostOnly = true;
    }

    // now parse and compare
@@ -161,9 +164,11 @@ function compareAudiences(want, got) {

    got = normalizeParsedURL(url.parse(got));

+    if (checkHostOnly) return want.hostname === got.hostname;
+
    return (want.protocol === got.protocol &&
            want.hostname === got.hostname &&
-            want.port === got.port);
+            want.port == got.port);
  } catch(e) {
    return false;
  }