Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).

commit: 86d53caddad11808ca332ab93ec35508b602a0dd [log] [tgz]
author: Antoine Pitrou <solipsis@pitrou.net> Sat May 18 17:56:42 2013 +0200
committer: Antoine Pitrou <solipsis@pitrou.net> Sat May 18 17:56:42 2013 +0200
tree: d2744d5d122a52543a72ae3d521a18f496e75805
parent: 8833c3bcd17f7a16688bfaa8d4776318e85e64d4 [diff] [blame]
diff --git a/Lib/ssl.py b/Lib/ssl.py
index e901b64..90c21ce 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py

@@ -108,9 +108,16 @@
     pass
 
 
-def _dnsname_to_pat(dn):
+def _dnsname_to_pat(dn, max_wildcards=1):
     pats = []
     for frag in dn.split(r'.'):
+        if frag.count('*') > max_wildcards:
+            # Issue #17980: avoid denials of service by refusing more
+            # than one wildcard per fragment.  A survery of established
+            # policy among SSL implementations showed it to be a
+            # reasonable choice.
+            raise CertificateError(
+                "too many wildcards in certificate DNS name: " + repr(dn))
         if frag == '*':
             # When '*' is a fragment by itself, it matches a non-empty dotless
             # fragment.
commit	86d53caddad11808ca332ab93ec35508b602a0dd	[log] [tgz]
author	Antoine Pitrou <solipsis@pitrou.net>	Sat May 18 17:56:42 2013 +0200
committer	Antoine Pitrou <solipsis@pitrou.net>	Sat May 18 17:56:42 2013 +0200
tree	d2744d5d122a52543a72ae3d521a18f496e75805
parent	8833c3bcd17f7a16688bfaa8d4776318e85e64d4 [diff] [blame]