[issue37463] socket.inet_aton IP parsing issue in ssl.match_hostname
STINNER Victor
report at bugs.python.org
Mon Jul 1 04:55:28 EDT 2019
STINNER Victor <vstinner at redhat.com> added the comment:
> It's a potential security bug although low severity.
What is the worst that can happen with this issue?
Other the client doesn't validate the cert at all, and so this issue has no impact, or the client validates the cert and trusts the CA, but the host isn't fully validated... Ok, but could someone abuse "1.1.1.1 ; this should not work but does"? Does a web browser accept such hostname? Or can it be used to inject SQL or a shell command for example?
----------
nosy: +vstinner
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue37463>
_______________________________________
More information about the Python-bugs-list
mailing list