From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 8 Dec 2025 09:20:04 +0000 (+0100)
Subject: hostcheck: fail wildcard match if host starts with a dot
X-Git-Tag: rc-8_18_0-2~102
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2535c4298fede065c80b9255328c18b68d739522;p=thirdparty%2Fcurl.git

hostcheck: fail wildcard match if host starts with a dot

A hostname cannot start with a dot when DNS is used, but there are other
ways.

Amend unit test 1397

Closes #19869
---

diff --git a/lib/vtls/hostcheck.c b/lib/vtls/hostcheck.c
index fbd460bc15..e56860a35b 100644
--- a/lib/vtls/hostcheck.c
+++ b/lib/vtls/hostcheck.c
@@ -92,8 +92,8 @@ static bool hostmatch(const char *hostname,
   if(strncmp(pattern, "*.", 2))
     return pmatch(hostname, hostlen, pattern, patternlen);
 
-  /* detect IP address as hostname and fail the match if so */
-  else if(Curl_host_is_ipnum(hostname))
+  /* detect host as IP address or starting with a dot and fail if so */
+  else if(Curl_host_is_ipnum(hostname) || (hostname[0] == '.'))
     return FALSE;
 
   /* We require at least 2 dots in the pattern to avoid too wide wildcard
diff --git a/tests/unit/unit1397.c b/tests/unit/unit1397.c
index 6726c50530..dc4f135837 100644
--- a/tests/unit/unit1397.c
+++ b/tests/unit/unit1397.c
@@ -39,6 +39,8 @@ static CURLcode test_unit1397(const char *arg)
   };
 
   static const struct testcase tests[] = {
+    {".hello.com", "*.hello.com", FALSE },
+    {"a.hello.com", "*.hello.com", TRUE },
     { "", "", FALSE },
     { "a", "", FALSE },
     { "", "b", FALSE },