|
 |
fb26433 |
# HG changeset patch
|
|
|
fb26433 |
# User Antoine Pitrou <solipsis@pitrou.net>
|
|
|
fb26433 |
# Date 1368892602 -7200
|
|
|
fb26433 |
# Node ID c627638753e2d25a98950585b259104a025937a9
|
|
|
fb26433 |
# Parent 9682241dc8fcb4b1aef083bd30860efa070c3d6d
|
|
|
fb26433 |
Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
|
|
|
fb26433 |
|
|
|
fb26433 |
diff --git a/Lib/ssl.py b/Lib/ssl.py
|
|
|
fb26433 |
--- a/Lib/ssl.py
|
|
|
fb26433 |
+++ b/Lib/ssl.py
|
|
|
fb26433 |
@@ -129,9 +129,16 @@ class CertificateError(ValueError):
|
|
|
fb26433 |
pass
|
|
|
fb26433 |
|
|
|
fb26433 |
|
|
|
fb26433 |
-def _dnsname_to_pat(dn):
|
|
|
fb26433 |
+def _dnsname_to_pat(dn, max_wildcards=1):
|
|
|
fb26433 |
pats = []
|
|
|
fb26433 |
for frag in dn.split(r'.'):
|
|
|
fb26433 |
+ if frag.count('*') > max_wildcards:
|
|
|
fb26433 |
+ # Issue #17980: avoid denials of service by refusing more
|
|
|
fb26433 |
+ # than one wildcard per fragment. A survery of established
|
|
|
fb26433 |
+ # policy among SSL implementations showed it to be a
|
|
|
fb26433 |
+ # reasonable choice.
|
|
|
fb26433 |
+ raise CertificateError(
|
|
|
fb26433 |
+ "too many wildcards in certificate DNS name: " + repr(dn))
|
|
|
fb26433 |
if frag == '*':
|
|
|
fb26433 |
# When '*' is a fragment by itself, it matches a non-empty dotless
|
|
|
fb26433 |
# fragment.
|
|
|
fb26433 |
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
|
|
|
fb26433 |
--- a/Lib/test/test_ssl.py
|
|
|
fb26433 |
+++ b/Lib/test/test_ssl.py
|
|
|
fb26433 |
@@ -349,6 +349,17 @@ class BasicSocketTests(unittest.TestCase
|
|
|
fb26433 |
self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
|
|
|
fb26433 |
self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
|
|
|
fb26433 |
|
|
|
fb26433 |
+ # Issue #17980: avoid denials of service by refusing more than one
|
|
|
fb26433 |
+ # wildcard per fragment.
|
|
|
fb26433 |
+ cert = {'subject': ((('commonName', 'a*b.com'),),)}
|
|
|
fb26433 |
+ ok(cert, 'axxb.com')
|
|
|
fb26433 |
+ cert = {'subject': ((('commonName', 'a*b.co*'),),)}
|
|
|
fb26433 |
+ ok(cert, 'axxb.com')
|
|
|
fb26433 |
+ cert = {'subject': ((('commonName', 'a*b*.com'),),)}
|
|
|
fb26433 |
+ with self.assertRaises(ssl.CertificateError) as cm:
|
|
|
fb26433 |
+ ssl.match_hostname(cert, 'axxbxxc.com')
|
|
|
fb26433 |
+ self.assertIn("too many wildcards", str(cm.exception))
|
|
|
fb26433 |
+
|
|
|
fb26433 |
def test_server_side(self):
|
|
|
fb26433 |
# server_hostname doesn't work for server sockets
|
|
|
fb26433 |
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
|