From 1009eb3e5182b663ccec81caf435f8f21ddb49fc Mon Sep 17 00:00:00 2001 From: Toshio Kuratomi Date: Tue, 16 Jul 2013 13:33:11 -0700 Subject: [PATCH] Fix for CVE 2013-2099 --- ...s.python.org-issue17980-in-code-back.patch | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 0001-fix-for-http-bugs.python.org-issue17980-in-code-back.patch diff --git a/0001-fix-for-http-bugs.python.org-issue17980-in-code-back.patch b/0001-fix-for-http-bugs.python.org-issue17980-in-code-back.patch new file mode 100644 index 0000000..5f928ef --- /dev/null +++ b/0001-fix-for-http-bugs.python.org-issue17980-in-code-back.patch @@ -0,0 +1,36 @@ +From ca207acb4fdea344bb3a775d44aa0d9f59ad31a1 Mon Sep 17 00:00:00 2001 +From: Toshio Kuratomi +Date: Mon, 15 Jul 2013 10:58:20 -0700 +Subject: [PATCH] fix for http://bugs.python.org/issue17980 in code backported + from the python3 stdlib + +--- + pip/backwardcompat/ssl_match_hostname.py | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/pip/backwardcompat/ssl_match_hostname.py b/pip/backwardcompat/ssl_match_hostname.py +index 5707649..a6fadf4 100644 +--- a/pip/backwardcompat/ssl_match_hostname.py ++++ b/pip/backwardcompat/ssl_match_hostname.py +@@ -7,9 +7,17 @@ __version__ = '3.2a3' + class CertificateError(ValueError): + pass + +-def _dnsname_to_pat(dn): ++def _dnsname_to_pat(dn, max_wildcards=1): + pats = [] + for frag in dn.split(r'.'): ++ if frag.count('*') > max_wildcards: ++ # Issue #17980: avoid denials of service by refusing more ++ # than one wildcard per fragment. A survery of established ++ # policy among SSL implementations showed it to be a ++ # reasonable choice. ++ raise CertificateError( ++ "too many wildcards in certificate DNS name: " + repr(dn)) ++ + if frag == '*': + # When '*' is a fragment by itself, it matches a non-empty dotless + # fragment. +-- +1.7.11.7 +