Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service…

Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).

Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service…
Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
31fb4199 · Antoine Pitrou · 1a8c3e24 · 636f93c6 · 31fb4199 · 31fb4199
Kaydet (Commit) 31fb4199 authored May 18, 2013 tarafından Antoine Pitrou
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 1 deletion

ssl.py Lib/ssl.py +8 -1

test_ssl.py Lib/test/test_ssl.py +11 -0

NEWS Misc/NEWS +3 -0

No files found.
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -160,9 +160,16 @@ class CertificateError(ValueError):
    pass


-def _dnsname_to_pat(dn):
+def _dnsname_to_pat(dn, max_wildcards=1):
    pats = []
    for frag in dn.split(r'.'):
+        if frag.count('*') > max_wildcards:
+            # Issue #17980: avoid denials of service by refusing more
+            # than one wildcard per fragment.  A survery of established
+            # policy among SSL implementations showed it to be a
+            # reasonable choice.
+            raise CertificateError(
+                "too many wildcards in certificate DNS name: " + repr(dn))
        if frag == '*':
            # When '*' is a fragment by itself, it matches a non-empty dotless
            # fragment.

--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -349,6 +349,17 @@ class BasicSocketTests(unittest.TestCase):
        self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
        self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')

+        # Issue #17980: avoid denials of service by refusing more than one
+        # wildcard per fragment.
+        cert = {'subject': ((('commonName', 'a*b.com'),),)}
+        ok(cert, 'axxb.com')
+        cert = {'subject': ((('commonName', 'a*b.co*'),),)}
+        ok(cert, 'axxb.com')
+        cert = {'subject': ((('commonName', 'a*b*.com'),),)}
+        with self.assertRaises(ssl.CertificateError) as cm:
+            ssl.match_hostname(cert, 'axxbxxc.com')
+        self.assertIn("too many wildcards", str(cm.exception))
+
    def test_server_side(self):
        # server_hostname doesn't work for server sockets
        ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -94,6 +94,9 @@ Core and Builtins
 Library
 -------

+- Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of
+  service using certificates with many wildcards (CVE-2013-2099).
+
 - Issue #15758: Fix FileIO.readall() so it no longer has O(n**2) complexity.

 - Issue #14596: The struct.Struct() objects now use more compact implementation.