Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 636f93c

Browse files
pitroupitrou
committed
Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
1 parent ef9683b commit 636f93c

3 files changed

Lines changed: 22 additions & 1 deletion

File tree

Lib/ssl.py

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -129,9 +129,16 @@ class CertificateError(ValueError):
129129
pass
130130

131131

132-
def _dnsname_to_pat(dn):
132+
def _dnsname_to_pat(dn, max_wildcards=1):
133133
pats = []
134134
for frag in dn.split(r'.'):
135+
if frag.count('*') > max_wildcards:
136+
# Issue #17980: avoid denials of service by refusing more
137+
# than one wildcard per fragment. A survery of established
138+
# policy among SSL implementations showed it to be a
139+
# reasonable choice.
140+
raise CertificateError(
141+
"too many wildcards in certificate DNS name: " + repr(dn))
135142
if frag == '*':
136143
# When '*' is a fragment by itself, it matches a non-empty dotless
137144
# fragment.

Lib/test/test_ssl.py

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -349,6 +349,17 @@ def fail(cert, hostname):
349349
self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
350350
self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
351351

352+
# Issue #17980: avoid denials of service by refusing more than one
353+
# wildcard per fragment.
354+
cert = {'subject': ((('commonName', 'a*b.com'),),)}
355+
ok(cert, 'axxb.com')
356+
cert = {'subject': ((('commonName', 'a*b.co*'),),)}
357+
ok(cert, 'axxb.com')
358+
cert = {'subject': ((('commonName', 'a*b*.com'),),)}
359+
with self.assertRaises(ssl.CertificateError) as cm:
360+
ssl.match_hostname(cert, 'axxbxxc.com')
361+
self.assertIn("too many wildcards", str(cm.exception))
362+
352363
def test_server_side(self):
353364
# server_hostname doesn't work for server sockets
354365
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

Misc/NEWS

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,9 @@ Core and Builtins
2424
Library
2525
-------
2626

27+
- Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of
28+
service using certificates with many wildcards (CVE-2013-2099).
29+
2730
- Issue #17981: Closed socket on error in SysLogHandler.
2831

2932
- Fix typos in the multiprocessing module.

0 commit comments

Comments
 (0)