Tighten URL parsing in OCSP_parse_url

prasden · prasden · commit 72dc1b6bf8e9 · 2026-05-08T16:12:51.000-07:00
diff --git a/crypto/ocsp/ocsp_lib.c b/crypto/ocsp/ocsp_lib.c
@@ -162,10 +162,10 @@ int OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath,
 
   // Set default ports for http and https. If a port is specified later, this
   // will be overwritten. |pssl| will be set to true, if https is being used.
-  if (strncmp(buffer, "https", 5) == 0) {
+  if (strcmp(buffer, "https") == 0) {
     *pssl = 1;
     port = (char *)"443";
-  } else if (strncmp(buffer, "http", 4) == 0) {
+  } else if (strcmp(buffer, "http") == 0) {
     *pssl = 0;
     port = (char *)"80";
   } else {
diff --git a/crypto/ocsp/ocsp_test.cc b/crypto/ocsp/ocsp_test.cc
@@ -1604,6 +1604,13 @@ static const OCSPURLTestVector kOCSPURLVectors[] = {
     // No closing bracket for ipv6.
     {"http://[2001:db8::1/", nullptr, nullptr, nullptr, 0,
      OCSP_URL_PARSE_ERROR},
+    // Protocol must match exactly, not just as a prefix.
+    {"https1://ocsp.example.com/", nullptr, nullptr, nullptr, 0,
+     OCSP_URL_PARSE_ERROR},
+    {"httpss://ocsp.example.com/", nullptr, nullptr, nullptr, 0,
+     OCSP_URL_PARSE_ERROR},
+    {"httpe://ocsp.example.com/path", nullptr, nullptr, nullptr, 0,
+     OCSP_URL_PARSE_ERROR},
 };
 
 class OCSPURLTest : public testing::TestWithParam<OCSPURLTestVector> {};
