[Python-checkins] cpython (merge 3.3 -> default): Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service
antoine.pitrou
python-checkins at python.org
Sat May 18 17:59:26 CEST 2013
http://hg.python.org/cpython/rev/fafd33db6ff6
changeset: 83828:fafd33db6ff6
parent: 83825:b111ae4f83ef
parent: 83827:c627638753e2
user: Antoine Pitrou <solipsis at pitrou.net>
date: Sat May 18 17:59:12 2013 +0200
summary:
Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
files:
Lib/ssl.py | 9 ++++++++-
Lib/test/test_ssl.py | 11 +++++++++++
Misc/NEWS | 3 +++
3 files changed, 22 insertions(+), 1 deletions(-)
diff --git a/Lib/ssl.py b/Lib/ssl.py
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -160,9 +160,16 @@
pass
-def _dnsname_to_pat(dn):
+def _dnsname_to_pat(dn, max_wildcards=1):
pats = []
for frag in dn.split(r'.'):
+ if frag.count('*') > max_wildcards:
+ # Issue #17980: avoid denials of service by refusing more
+ # than one wildcard per fragment. A survery of established
+ # policy among SSL implementations showed it to be a
+ # reasonable choice.
+ raise CertificateError(
+ "too many wildcards in certificate DNS name: " + repr(dn))
if frag == '*':
# When '*' is a fragment by itself, it matches a non-empty dotless
# fragment.
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -349,6 +349,17 @@
self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
+ # Issue #17980: avoid denials of service by refusing more than one
+ # wildcard per fragment.
+ cert = {'subject': ((('commonName', 'a*b.com'),),)}
+ ok(cert, 'axxb.com')
+ cert = {'subject': ((('commonName', 'a*b.co*'),),)}
+ ok(cert, 'axxb.com')
+ cert = {'subject': ((('commonName', 'a*b*.com'),),)}
+ with self.assertRaises(ssl.CertificateError) as cm:
+ ssl.match_hostname(cert, 'axxbxxc.com')
+ self.assertIn("too many wildcards", str(cm.exception))
+
def test_server_side(self):
# server_hostname doesn't work for server sockets
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -94,6 +94,9 @@
Library
-------
+- Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of
+ service using certificates with many wildcards (CVE-2013-2099).
+
- Issue #15758: Fix FileIO.readall() so it no longer has O(n**2) complexity.
- Issue #14596: The struct.Struct() objects now use more compact implementation.
--
Repository URL: http://hg.python.org/cpython
More information about the Python-checkins
mailing list