[issue17980] CVE-2013-2099 ssl.match_hostname() trips over crafted wildcard names
Antoine Pitrou
report at bugs.python.org
Fri May 17 11:43:05 CEST 2013
Antoine Pitrou added the comment:
libcurl supports a single wildcard for the whole domain name pattern (not even one per fragment), as per lib/hostcheck.c
(this is when linked against OpenSSL; when linked against GnuTLS, curl will use the GnuTLS-provided matching function)
Based on all the evidence, I think allowing one wildcard per fragment is sufficient.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue17980>
_______________________________________
More information about the Python-bugs-list
mailing list