From ca207acb4fdea344bb3a775d44aa0d9f59ad31a1 Mon Sep 17 00:00:00 2001

From: Toshio Kuratomi <toshio@fedoraproject.org>

Date: Mon, 15 Jul 2013 10:58:20 -0700

Subject: [PATCH] fix for http://bugs.python.org/issue17980 in code backported

 from the python3 stdlib

---

 pip/backwardcompat/ssl_match_hostname.py | 10 +++++++++-

 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/pip/backwardcompat/ssl_match_hostname.py b/pip/backwardcompat/ssl_match_hostname.py

index 5707649..a6fadf4 100644

--- a/pip/backwardcompat/ssl_match_hostname.py

+++ b/pip/backwardcompat/ssl_match_hostname.py

@@ -7,9 +7,17 @@ __version__ = '3.2a3'

 class CertificateError(ValueError):

     pass

-def _dnsname_to_pat(dn):

+def _dnsname_to_pat(dn, max_wildcards=1):

     pats = []

     for frag in dn.split(r'.'):

+        if frag.count('*') > max_wildcards:

+            # Issue #17980: avoid denials of service by refusing more

+            # than one wildcard per fragment.  A survery of established

+            # policy among SSL implementations showed it to be a

+            # reasonable choice.

+            raise CertificateError(

+                "too many wildcards in certificate DNS name: " + repr(dn))

+

         if frag == '*':

             # When '*' is a fragment by itself, it matches a non-empty dotless

             # fragment.

-- 

1.7.11.7