[issue37463] socket.inet_aton IP parsing issue in ssl.match_hostname
Christian Heimes
report at bugs.python.org
Tue Jul 2 05:14:21 EDT 2019
Christian Heimes <lists at cheimes.de> added the comment:
Riccardo, the issue is about parsing the user supplied hostname/ipaddress, not the IPAddress field of the certificate. X.509 certs store IP addresses as fixed-size binary data, 4 bytes for IPv4 or 16 bytes for IPv6. There can't be any additional payload.
The bug is in the code that parses the user supplied "hostname" parameter to ssl.match_hostname(cert, hostname). The bug allows an attacker to pass an IPv4 address with additional content and ssl.match_hostname() ignores this additional content. This example should fail, but does not fail with an exception:
>>> import ssl
>>> cert = {'subjectAltName': [('IP Address', '127.0.0.1 additional payload')]}
>>> ssl.match_hostname(cert, '127.0.0.1')
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue37463>
_______________________________________
More information about the Python-bugs-list
mailing list