Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).

author: Antoine Pitrou <solipsis@pitrou.net> 2013-05-18 17:59:12 +0200
committer: Antoine Pitrou <solipsis@pitrou.net> 2013-05-18 17:59:12 +0200
commit: 31fb419908c63419b4f725e1ad457a9fd0eee526 (patch)
tree: a3c8e3a3bb4823643289d8e4d06d92f97019664d /Lib/ssl.py
parent: 1a8c3e247a2c41c1f3a9eceb39bb0e9e5a3d0c6f (diff)
parent: 636f93c63ba286249c1207e3a903f8429efb2041 (diff)
download: cpython-git-31fb419908c63419b4f725e1ad457a9fd0eee526.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/Lib/ssl.py b/Lib/ssl.py
index 36f3098312..8af22c7e4c 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -160,9 +160,16 @@ class CertificateError(ValueError):
     pass
 
 
-def _dnsname_to_pat(dn):
+def _dnsname_to_pat(dn, max_wildcards=1):
     pats = []
     for frag in dn.split(r'.'):
+        if frag.count('*') > max_wildcards:
+            # Issue #17980: avoid denials of service by refusing more
+            # than one wildcard per fragment.  A survery of established
+            # policy among SSL implementations showed it to be a
+            # reasonable choice.
+            raise CertificateError(
+                "too many wildcards in certificate DNS name: " + repr(dn))
         if frag == '*':
             # When '*' is a fragment by itself, it matches a non-empty dotless
             # fragment.
author	Antoine Pitrou <solipsis@pitrou.net>	2013-05-18 17:59:12 +0200
committer	Antoine Pitrou <solipsis@pitrou.net>	2013-05-18 17:59:12 +0200
commit	31fb419908c63419b4f725e1ad457a9fd0eee526 (patch)
tree	a3c8e3a3bb4823643289d8e4d06d92f97019664d /Lib/ssl.py
parent	1a8c3e247a2c41c1f3a9eceb39bb0e9e5a3d0c6f (diff)
parent	636f93c63ba286249c1207e3a903f8429efb2041 (diff)
download	cpython-git-31fb419908c63419b4f725e1ad457a9fd0eee526.tar.gz