37 lines
1.3 KiB
Diff
37 lines
1.3 KiB
Diff
From ca207acb4fdea344bb3a775d44aa0d9f59ad31a1 Mon Sep 17 00:00:00 2001
|
|
From: Toshio Kuratomi <toshio@fedoraproject.org>
|
|
Date: Mon, 15 Jul 2013 10:58:20 -0700
|
|
Subject: [PATCH] fix for http://bugs.python.org/issue17980 in code backported
|
|
from the python3 stdlib
|
|
|
|
---
|
|
pip/backwardcompat/ssl_match_hostname.py | 10 +++++++++-
|
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/pip/backwardcompat/ssl_match_hostname.py b/pip/backwardcompat/ssl_match_hostname.py
|
|
index 5707649..a6fadf4 100644
|
|
--- a/pip/backwardcompat/ssl_match_hostname.py
|
|
+++ b/pip/backwardcompat/ssl_match_hostname.py
|
|
@@ -7,9 +7,17 @@ __version__ = '3.2a3'
|
|
class CertificateError(ValueError):
|
|
pass
|
|
|
|
-def _dnsname_to_pat(dn):
|
|
+def _dnsname_to_pat(dn, max_wildcards=1):
|
|
pats = []
|
|
for frag in dn.split(r'.'):
|
|
+ if frag.count('*') > max_wildcards:
|
|
+ # Issue #17980: avoid denials of service by refusing more
|
|
+ # than one wildcard per fragment. A survery of established
|
|
+ # policy among SSL implementations showed it to be a
|
|
+ # reasonable choice.
|
|
+ raise CertificateError(
|
|
+ "too many wildcards in certificate DNS name: " + repr(dn))
|
|
+
|
|
if frag == '*':
|
|
# When '*' is a fragment by itself, it matches a non-empty dotless
|
|
# fragment.
|
|
--
|
|
1.7.11.7
|
|
|