Search Issue Tracker
By Design
Votes
0
Found in
2018.3
2018.3.14f1
2018.4
2019.1
Issue ID
1190682
Regression
No
[2018.4] UnityWebRequest.java has a sHostnameVerifier which doesn't have server identity check implemented
UnityWebRequest.java has a sHostnameVerifier variable which doesn't have server identity check implemented.
Actual result: the verify boolean is just set to True.
Expected result: The verification happens and verify is set either to True or False.
Reproducible with: 2018.3, 2018.4, 2019.1.
Not reproducible with: 2019.2, 2019.3, 2020.1.
Notes:
- The issue is not reproducible with any repro steps, more information in the edits.
- The UnityWebRequest.java is implemented in 2018.3 and removed since 2019.2.
Add comment
All about bugs
View bugs we have successfully reproduced, and vote for the bugs you want to see fixed most urgently.
Latest issues
- [Android] Stage information is not logged when Log Shader Compilation is enabled
- [Vulkan] The memory allocation increases rapidly when there are multiple (three or more) Real-Time Reflection Probes in the Scene
- [macOS] Library folder of the opened project can be deleted which leads to the crash
- “Default Scene” dropdown field contains a spelling mistake “Default Builtin”
- Editor crashes on PPtr<Mesh> after adding Text Mesh and Cloth Components to the same GameObject
Resolution Note:
This issue is not so straight forward.
The mentioned sHostnameVerifier is only used when UnityWebRequest has a CertificateHandler attached to it. The point of CertificateHandler is to establish trust with the server, when it's attached, it is completely up to implementer of it to determine the trust.
Based on this it currently looks like a false positive from code analysis.
Unless it's proven to be impossible to implement hostname verification in a CertificateHandler.
Additional note: I've tried on a couple of different phones to access https://wrong.host.badssl.com/ which I believe is a showcase of such verification. The verifier was not called on either of them.