bpo-37463: match_hostname requires quad-dotted IPv4 (GH-14499)

ssl.match_hostname() no longer accepts IPv4 addresses with additional text after the address and only quad-dotted notation without trailing whitespaces. Some inet_aton() implementations ignore whitespace and all data after whitespace, e.g. '127.0.0.1 whatever'. Short notations like '127.1' for '127.0.0.1' were already filtered out. The bug was initially found by Dominik Czarnota and reported by Paul Kehrer. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue37463
author: Christian Heimes <christian@python.org> 2019-07-02 20:39:42 +0200
committer: Ned Deily <nad@python.org> 2019-07-02 14:42:08 -0400
commit: 070fae6d0ff49e63bfd5f2bdc66f8eb1df3b6557 (patch)
tree: bf94f445c48b472916d502d4f2f06a4994ff7ee8 /Misc
parent: dcc0eb379613f279864af61023ea44c94aa0535c (diff)
download: cpython-git-070fae6d0ff49e63bfd5f2bdc66f8eb1df3b6557.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Security/2019-07-01-08-46-14.bpo-37463.1CHwjE.rst b/Misc/NEWS.d/next/Security/2019-07-01-08-46-14.bpo-37463.1CHwjE.rst
new file mode 100644
index 0000000000..4f4a62e783
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-07-01-08-46-14.bpo-37463.1CHwjE.rst
@@ -0,0 +1,4 @@
+ssl.match_hostname() no longer accepts IPv4 addresses with additional text
+after the address and only quad-dotted notation without trailing
+whitespaces. Some inet_aton() implementations ignore whitespace and all data
+after whitespace, e.g. '127.0.0.1 whatever'.
author	Christian Heimes <christian@python.org>	2019-07-02 20:39:42 +0200
committer	Ned Deily <nad@python.org>	2019-07-02 14:42:08 -0400
commit	070fae6d0ff49e63bfd5f2bdc66f8eb1df3b6557 (patch)
tree	bf94f445c48b472916d502d4f2f06a4994ff7ee8 /Misc
parent	dcc0eb379613f279864af61023ea44c94aa0535c (diff)
download	cpython-git-070fae6d0ff49e63bfd5f2bdc66f8eb1df3b6557.tar.gz