Contents of /trunk/python/patches/python-3.3.2-CVE-2013-2099.patch
Parent Directory
| 
Revision Log
Revision 2267 -
(show annotations)
(download)
Wed Aug 21 15:18:58 2013 UTC (10 years, 8 months ago) by niro
File size: 2129 byte(s)
Wed Aug 21 15:18:58 2013 UTC (10 years, 8 months ago) by niro
File size: 2129 byte(s)
-security fix
| 1 | |
| 2 | # HG changeset patch |
| 3 | # User Antoine Pitrou <solipsis@pitrou.net> |
| 4 | # Date 1368892602 -7200 |
| 5 | # Node ID c627638753e2d25a98950585b259104a025937a9 |
| 6 | # Parent 9682241dc8fcb4b1aef083bd30860efa070c3d6d |
| 7 | Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099). |
| 8 | |
| 9 | diff --git a/Lib/ssl.py b/Lib/ssl.py |
| 10 | --- a/Lib/ssl.py |
| 11 | +++ b/Lib/ssl.py |
| 12 | @@ -129,9 +129,16 @@ class CertificateError(ValueError): |
| 13 | pass |
| 14 | |
| 15 | |
| 16 | -def _dnsname_to_pat(dn): |
| 17 | +def _dnsname_to_pat(dn, max_wildcards=1): |
| 18 | pats = [] |
| 19 | for frag in dn.split(r'.'): |
| 20 | + if frag.count('*') > max_wildcards: |
| 21 | + # Issue #17980: avoid denials of service by refusing more |
| 22 | + # than one wildcard per fragment. A survery of established |
| 23 | + # policy among SSL implementations showed it to be a |
| 24 | + # reasonable choice. |
| 25 | + raise CertificateError( |
| 26 | + "too many wildcards in certificate DNS name: " + repr(dn)) |
| 27 | if frag == '*': |
| 28 | # When '*' is a fragment by itself, it matches a non-empty dotless |
| 29 | # fragment. |
| 30 | diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py |
| 31 | --- a/Lib/test/test_ssl.py |
| 32 | +++ b/Lib/test/test_ssl.py |
| 33 | @@ -349,6 +349,17 @@ class BasicSocketTests(unittest.TestCase |
| 34 | self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com') |
| 35 | self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com') |
| 36 | |
| 37 | + # Issue #17980: avoid denials of service by refusing more than one |
| 38 | + # wildcard per fragment. |
| 39 | + cert = {'subject': ((('commonName', 'a*b.com'),),)} |
| 40 | + ok(cert, 'axxb.com') |
| 41 | + cert = {'subject': ((('commonName', 'a*b.co*'),),)} |
| 42 | + ok(cert, 'axxb.com') |
| 43 | + cert = {'subject': ((('commonName', 'a*b*.com'),),)} |
| 44 | + with self.assertRaises(ssl.CertificateError) as cm: |
| 45 | + ssl.match_hostname(cert, 'axxbxxc.com') |
| 46 | + self.assertIn("too many wildcards", str(cm.exception)) |
| 47 | + |
| 48 | def test_server_side(self): |
| 49 | # server_hostname doesn't work for server sockets |
| 50 | ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) |