python/patches/python-3.3.2-CVE-2013-2099.patch


# HG changeset patch
# User Antoine Pitrou <solipsis@pitrou.net>
# Date 1368892602 -7200
# Node ID c627638753e2d25a98950585b259104a025937a9
# Parent  9682241dc8fcb4b1aef083bd30860efa070c3d6d
Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).

diff --git a/Lib/ssl.py b/Lib/ssl.py
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -129,9 +129,16 @@ class CertificateError(ValueError):
     pass
 
 
-def _dnsname_to_pat(dn):
+def _dnsname_to_pat(dn, max_wildcards=1):
     pats = []
     for frag in dn.split(r'.'):
+        if frag.count('*') > max_wildcards:
+            # Issue #17980: avoid denials of service by refusing more
+            # than one wildcard per fragment.  A survery of established
+            # policy among SSL implementations showed it to be a
+            # reasonable choice.
+            raise CertificateError(
+                "too many wildcards in certificate DNS name: " + repr(dn))
         if frag == '*':
             # When '*' is a fragment by itself, it matches a non-empty dotless
             # fragment.
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -349,6 +349,17 @@ class BasicSocketTests(unittest.TestCase
         self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
         self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
 
+        # Issue #17980: avoid denials of service by refusing more than one
+        # wildcard per fragment.
+        cert = {'subject': ((('commonName', 'a*b.com'),),)}
+        ok(cert, 'axxb.com')
+        cert = {'subject': ((('commonName', 'a*b.co*'),),)}
+        ok(cert, 'axxb.com')
+        cert = {'subject': ((('commonName', 'a*b*.com'),),)}
+        with self.assertRaises(ssl.CertificateError) as cm:
+            ssl.match_hostname(cert, 'axxbxxc.com')
+        self.assertIn("too many wildcards", str(cm.exception))
+
     def test_server_side(self):
         # server_hostname doesn't work for server sockets
         ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1	niro	2267
2			# HG changeset patch
3			# User Antoine Pitrou <solipsis@pitrou.net>
4			# Date 1368892602 -7200
5			# Node ID c627638753e2d25a98950585b259104a025937a9
6			# Parent 9682241dc8fcb4b1aef083bd30860efa070c3d6d
7			Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
8
9			diff --git a/Lib/ssl.py b/Lib/ssl.py
10			--- a/Lib/ssl.py
11			+++ b/Lib/ssl.py
12			@@ -129,9 +129,16 @@ class CertificateError(ValueError):
13			pass
14
15
16			-def _dnsname_to_pat(dn):
17			+def _dnsname_to_pat(dn, max_wildcards=1):
18			pats = []
19			for frag in dn.split(r'.'):
20			+ if frag.count('*') > max_wildcards:
21			+ # Issue #17980: avoid denials of service by refusing more
22			+ # than one wildcard per fragment. A survery of established
23			+ # policy among SSL implementations showed it to be a
24			+ # reasonable choice.
25			+ raise CertificateError(
26			+ "too many wildcards in certificate DNS name: " + repr(dn))
27			if frag == '*':
28			# When '*' is a fragment by itself, it matches a non-empty dotless
29			# fragment.
30			diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
31			--- a/Lib/test/test_ssl.py
32			+++ b/Lib/test/test_ssl.py
33			@@ -349,6 +349,17 @@ class BasicSocketTests(unittest.TestCase
34			self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
35			self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
36
37			+ # Issue #17980: avoid denials of service by refusing more than one
38			+ # wildcard per fragment.
39			+ cert = {'subject': ((('commonName', 'a*b.com'),),)}
40			+ ok(cert, 'axxb.com')
41			+ cert = {'subject': ((('commonName', 'ab.co'),),)}
42			+ ok(cert, 'axxb.com')
43			+ cert = {'subject': ((('commonName', 'ab.com'),),)}
44			+ with self.assertRaises(ssl.CertificateError) as cm:
45			+ ssl.match_hostname(cert, 'axxbxxc.com')
46			+ self.assertIn("too many wildcards", str(cm.exception))
47			+
48			def test_server_side(self):
49			# server_hostname doesn't work for server sockets
50			ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)