blob: 57a4c061b7a419b058c9c6d2409838bbef044fce (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
Description: Fix possible abuse of ssl.match_hostname() for denial
of service using certificates with many wildcards (CVE-2013-2099)
Origin: http://hg.python.org/cpython/rev/c627638753e2
Bug: http://bugs.python.org/issue17980
Bug-Debian: http://bugs.debian.org/709070
--- a/urllib3/packages/ssl_match_hostname/__init__.py
+++ b/urllib3/packages/ssl_match_hostname/__init__.py
@@ -7,9 +7,16 @@
class CertificateError(ValueError):
pass
-def _dnsname_to_pat(dn):
+def _dnsname_to_pat(dn, max_wildcards=1):
pats = []
for frag in dn.split(r'.'):
+ if frag.count('*') > max_wildcards:
+ # Issue #17980: avoid denials of service by refusing more
+ # than one wildcard per fragment. A survery of established
+ # policy among SSL implementations showed it to be a
+ # reasonable choice.
+ raise CertificateError(
+ "too many wildcards in certificate DNS name: " + repr(dn))
if frag == '*':
# When '*' is a fragment by itself, it matches a non-empty dotless
# fragment.
|