Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).

2025-08-04 00:48:58 +00:00 · 2013-05-18 17:56:42 +02:00 · 2013-05-18 17:56:42 +02:00 · 636f93c63b
commit 636f93c63b
parent ef9683b73f
3 changed files with 22 additions and 1 deletions
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@ -129,9 +129,16 @@ class CertificateError(ValueError):
    pass


-def _dnsname_to_pat(dn):
+def _dnsname_to_pat(dn, max_wildcards=1):
    pats = []
    for frag in dn.split(r'.'):
+        if frag.count('*') > max_wildcards:
+            # Issue #17980: avoid denials of service by refusing more
+            # than one wildcard per fragment.  A survery of established
+            # policy among SSL implementations showed it to be a
+            # reasonable choice.
+            raise CertificateError(
+                "too many wildcards in certificate DNS name: " + repr(dn))
        if frag == '*':
            # When '*' is a fragment by itself, it matches a non-empty dotless
            # fragment.