Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).

author: Antoine Pitrou <solipsis@pitrou.net> 2013-05-18 17:56:42 +0200
committer: Antoine Pitrou <solipsis@pitrou.net> 2013-05-18 17:56:42 +0200
commit: 65cbc0b1e40c4fa3a910fa07df15ca6627b5efa2 (patch)
tree: 0a2c12d3f8031c4ab514e3a76501d62aec6edd05 /Lib/test/test_ssl.py
parent: bf463d916abd45fa3da00d12458914ba579b73e0 (diff)
download: cpython-65cbc0b1e40c4fa3a910fa07df15ca6627b5efa2.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index d1cb3f1b84..4d67fa1de4 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -326,6 +326,17 @@ class BasicSocketTests(unittest.TestCase):
         self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
         self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
 
+        # Issue #17980: avoid denials of service by refusing more than one
+        # wildcard per fragment.
+        cert = {'subject': ((('commonName', 'a*b.com'),),)}
+        ok(cert, 'axxb.com')
+        cert = {'subject': ((('commonName', 'a*b.co*'),),)}
+        ok(cert, 'axxb.com')
+        cert = {'subject': ((('commonName', 'a*b*.com'),),)}
+        with self.assertRaises(ssl.CertificateError) as cm:
+            ssl.match_hostname(cert, 'axxbxxc.com')
+        self.assertIn("too many wildcards", str(cm.exception))
+
     def test_server_side(self):
         # server_hostname doesn't work for server sockets
         ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
author	Antoine Pitrou <solipsis@pitrou.net>	2013-05-18 17:56:42 +0200
committer	Antoine Pitrou <solipsis@pitrou.net>	2013-05-18 17:56:42 +0200
commit	65cbc0b1e40c4fa3a910fa07df15ca6627b5efa2 (patch)
tree	0a2c12d3f8031c4ab514e3a76501d62aec6edd05 /Lib/test/test_ssl.py
parent	bf463d916abd45fa3da00d12458914ba579b73e0 (diff)
download	cpython-65cbc0b1e40c4fa3a910fa07df15ca6627b5efa2.tar.gz