diff options
| -rw-r--r-- | Lib/ssl.py | 9 | ||||
| -rw-r--r-- | Lib/test/test_ssl.py | 11 | ||||
| -rw-r--r-- | Misc/NEWS | 3 |
3 files changed, 22 insertions, 1 deletions
@@ -108,9 +108,16 @@ class CertificateError(ValueError): pass -def _dnsname_to_pat(dn): +def _dnsname_to_pat(dn, max_wildcards=1): pats = [] for frag in dn.split(r'.'): + if frag.count('*') > max_wildcards: + # Issue #17980: avoid denials of service by refusing more + # than one wildcard per fragment. A survery of established + # policy among SSL implementations showed it to be a + # reasonable choice. + raise CertificateError( + "too many wildcards in certificate DNS name: " + repr(dn)) if frag == '*': # When '*' is a fragment by itself, it matches a non-empty dotless # fragment. diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index d1cb3f1..4d67fa1 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -326,6 +326,17 @@ class BasicSocketTests(unittest.TestCase): self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com') self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com') + # Issue #17980: avoid denials of service by refusing more than one + # wildcard per fragment. + cert = {'subject': ((('commonName', 'a*b.com'),),)} + ok(cert, 'axxb.com') + cert = {'subject': ((('commonName', 'a*b.co*'),),)} + ok(cert, 'axxb.com') + cert = {'subject': ((('commonName', 'a*b*.com'),),)} + with self.assertRaises(ssl.CertificateError) as cm: + ssl.match_hostname(cert, 'axxbxxc.com') + self.assertIn("too many wildcards", str(cm.exception)) + def test_server_side(self): # server_hostname doesn't work for server sockets ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) @@ -10,6 +10,9 @@ What's New in Python 3.2.5? Library ------- +- Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of + service using certificates with many wildcards (CVE-2013-2099). + - Issue #17192: Restore the patch for Issue #11729 and Issue #10309 which were omitted in 3.2.4 when updating the bundled version of libffi used by ctypes. |