diff options
| author | Antoine Pitrou <solipsis@pitrou.net> | 2013-05-18 15:56:42 (GMT) |
|---|---|---|
| committer | Antoine Pitrou <solipsis@pitrou.net> | 2013-05-18 15:56:42 (GMT) |
| commit | 636f93c63ba286249c1207e3a903f8429efb2041 (patch) | |
| tree | 9a8053ff51254cfbd7b4b6437e699f21ae17338e /Lib/test/test_ssl.py | |
| parent | ef9683b73f8980fb7cfa39166670d3998b092804 (diff) | |
| download | cpython-636f93c63ba286249c1207e3a903f8429efb2041.zip cpython-636f93c63ba286249c1207e3a903f8429efb2041.tar.gz cpython-636f93c63ba286249c1207e3a903f8429efb2041.tar.bz2 | |
Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
Diffstat (limited to 'Lib/test/test_ssl.py')
| -rw-r--r-- | Lib/test/test_ssl.py | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 815475e..1c4aa7c 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -349,6 +349,17 @@ class BasicSocketTests(unittest.TestCase): self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com') self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com') + # Issue #17980: avoid denials of service by refusing more than one + # wildcard per fragment. + cert = {'subject': ((('commonName', 'a*b.com'),),)} + ok(cert, 'axxb.com') + cert = {'subject': ((('commonName', 'a*b.co*'),),)} + ok(cert, 'axxb.com') + cert = {'subject': ((('commonName', 'a*b*.com'),),)} + with self.assertRaises(ssl.CertificateError) as cm: + ssl.match_hostname(cert, 'axxbxxc.com') + self.assertIn("too many wildcards", str(cm.exception)) + def test_server_side(self): # server_hostname doesn't work for server sockets ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) |