Bug 903885, address requests to clarify comments from wtc
DONTBUILD
--- a/lib/certdb/certdb.c
+++ b/lib/certdb/certdb.c
@@ -1389,18 +1389,18 @@ cert_TestHostName(char * cn, const char
/* For a cn pattern to be considered valid, the wildcard character...
* - may occur only in a DNS name with at least 3 components, and
* - may occur only as last character in the first component, and
* - may be preceded by additional characters, and
* - must not be preceded by an IDNA ACE prefix (xn--)
*/
if (wildcard && secondcndot && secondcndot[1] && firsthndot
- && firstcndot - wildcard == 1 /* no chars between * and . */
- && secondcndot - firstcndot > 1 /* not .. */
+ && firstcndot - wildcard == 1 /* wildcard is last char in first component */
+ && secondcndot - firstcndot > 1 /* second component is non-empty */
&& PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */
&& !PORT_Strncasecmp(cn, hn, wildcard - cn)
&& !PORT_Strcasecmp(firstcndot, firsthndot)
/* If hn starts with xn--, then cn must start with wildcard */
&& (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) {
/* valid wildcard pattern match */
return SECSuccess;
}