diff options
| author | Antoine Pitrou <solipsis@pitrou.net> | 2013-05-18 17:56:42 +0200 |
|---|---|---|
| committer | Antoine Pitrou <solipsis@pitrou.net> | 2013-05-18 17:56:42 +0200 |
| commit | 86d53caddad11808ca332ab93ec35508b602a0dd (patch) | |
| tree | d2744d5d122a52543a72ae3d521a18f496e75805 /Lib/ssl.py | |
| parent | 8833c3bcd17f7a16688bfaa8d4776318e85e64d4 (diff) | |
| download | cpython-git-86d53caddad11808ca332ab93ec35508b602a0dd.tar.gz | |
Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
Diffstat (limited to 'Lib/ssl.py')
| -rw-r--r-- | Lib/ssl.py | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/Lib/ssl.py b/Lib/ssl.py index e901b640a6..90c21ceff7 100644 --- a/Lib/ssl.py +++ b/Lib/ssl.py @@ -108,9 +108,16 @@ class CertificateError(ValueError): pass -def _dnsname_to_pat(dn): +def _dnsname_to_pat(dn, max_wildcards=1): pats = [] for frag in dn.split(r'.'): + if frag.count('*') > max_wildcards: + # Issue #17980: avoid denials of service by refusing more + # than one wildcard per fragment. A survery of established + # policy among SSL implementations showed it to be a + # reasonable choice. + raise CertificateError( + "too many wildcards in certificate DNS name: " + repr(dn)) if frag == '*': # When '*' is a fragment by itself, it matches a non-empty dotless # fragment. |