blob: 0d649dc6a9f10dd8bc4afee4366d00018c68fea4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
The IDNA codec decoder used on DNS hostnames by :mod:`socket` or :mod:`asyncio`
related name resolution functions no longer involves a quadratic algorithm.
This prevents a potential CPU denial of service if an out-of-spec excessive
length hostname involving bidirectional characters were decoded. Some protocols
such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker
to supply such a name.
Individual labels within an IDNA encoded DNS name will now raise an error early
during IDNA decoding if they are longer than 1024 unicode characters given that
each decoded DNS label must be 63 or fewer characters and the entire decoded
DNS name is limited to 255. Only an application presenting a hostname or label
consisting primarily of :rfc:`3454` section 3.1 "Nothing" characters to be
removed would run into of this new limit. See also :rfc:`5894` section 6 and
:rfc:`3491`.
|
