diff options
Diffstat (limited to 'dev-lang/python/files/python-3.2-CVE-2013-2099.patch')
-rw-r--r-- | dev-lang/python/files/python-3.2-CVE-2013-2099.patch | 51 |
1 files changed, 0 insertions, 51 deletions
diff --git a/dev-lang/python/files/python-3.2-CVE-2013-2099.patch b/dev-lang/python/files/python-3.2-CVE-2013-2099.patch deleted file mode 100644 index 9055a03..0000000 --- a/dev-lang/python/files/python-3.2-CVE-2013-2099.patch +++ /dev/null @@ -1,51 +0,0 @@ -# HG changeset patch -# User Antoine Pitrou <solipsis@pitrou.net> -# Date 1368892602 -7200 -# Sat May 18 17:56:42 2013 +0200 -# Branch 3.2 -# Node ID b9b521efeba385af0142988899a55de1c1c805c7 -# Parent 6255b40c6a6127933d8ea7a2b9de200f5a0e6154 -Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099). - -diff --git a/Lib/ssl.py b/Lib/ssl.py ---- a/Lib/ssl.py -+++ b/Lib/ssl.py -@@ -108,9 +108,16 @@ - pass - - --def _dnsname_to_pat(dn): -+def _dnsname_to_pat(dn, max_wildcards=1): - pats = [] - for frag in dn.split(r'.'): -+ if frag.count('*') > max_wildcards: -+ # Issue #17980: avoid denials of service by refusing more -+ # than one wildcard per fragment. A survery of established -+ # policy among SSL implementations showed it to be a -+ # reasonable choice. -+ raise CertificateError( -+ "too many wildcards in certificate DNS name: " + repr(dn)) - if frag == '*': - # When '*' is a fragment by itself, it matches a non-empty dotless - # fragment. -diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py ---- a/Lib/test/test_ssl.py -+++ b/Lib/test/test_ssl.py -@@ -326,6 +326,17 @@ - self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com') - self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com') - -+ # Issue #17980: avoid denials of service by refusing more than one -+ # wildcard per fragment. -+ cert = {'subject': ((('commonName', 'a*b.com'),),)} -+ ok(cert, 'axxb.com') -+ cert = {'subject': ((('commonName', 'a*b.co*'),),)} -+ ok(cert, 'axxb.com') -+ cert = {'subject': ((('commonName', 'a*b*.com'),),)} -+ with self.assertRaises(ssl.CertificateError) as cm: -+ ssl.match_hostname(cert, 'axxbxxc.com') -+ self.assertIn("too many wildcards", str(cm.exception)) -+ - def test_server_side(self): - # server_hostname doesn't work for server sockets - ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) |