Update patch for wildcard idna fix to apply against the 1.1.7 release

2013-10-28 12:38:40 -07:00 · 2013-10-28 12:38:40 -07:00 · 92e8e94216
commit 92e8e94216
parent 6aabe0a6b3
1 changed files with 15 additions and 15 deletions
--- a/setuptools-ssl-match_hostname-wildcard.patch
+++ b/setuptools-ssl-match_hostname-wildcard.patch
@ -1,7 +1,8 @@
-diff -u b/setuptools/ssl_support.py b/setuptools/ssl_support.py
--- b/setuptools/ssl_support.py
-+++ b/setuptools/ssl_support.py
-@@ -85,26 +85,75 @@
+Index: setuptools-1.1.7/setuptools/ssl_support.py
+===================================================================
+--- setuptools-1.1.7.orig/setuptools/ssl_support.py
+++ setuptools-1.1.7/setuptools/ssl_support.py
+@@ -85,28 +85,69 @@ except ImportError:
 try:
     from ssl import CertificateError, match_hostname
 except ImportError:
@ -16,7 +17,7 @@ diff -u b/setuptools/ssl_support.py b/setuptools/ssl_support.py
     class CertificateError(ValueError):
         pass
 
-    def _dnsname_to_pat(dn):
+-    def _dnsname_to_pat(dn, max_wildcards=1):
 +if not match_hostname:
 +    def _dnsname_match(dn, hostname, max_wildcards=1):
 +        """Matching according to RFC 6125, section 6.4.3
@ -25,6 +26,13 @@ diff -u b/setuptools/ssl_support.py b/setuptools/ssl_support.py
 +        """
         pats = []
 -        for frag in dn.split(r'.'):
+-            if frag.count('*') > max_wildcards:
+-                # Issue #17980: avoid denials of service by refusing more
+-                # than one wildcard per fragment.  A survery of established
+-                # policy among SSL implementations showed it to be a
+-                # reasonable choice.
+-                raise CertificateError(
+-                    "too many wildcards in certificate DNS name: " + repr(dn))
 -            if frag == '*':
 -                # When '*' is a fragment by itself, it matches a non-empty dotless
 -                # fragment.
@ -79,18 +87,10 @@ diff -u b/setuptools/ssl_support.py b/setuptools/ssl_support.py
 +
 +        pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE)
 +        return pat.match(hostname)
-+
 
     def match_hostname(cert, hostname):
         """Verify that *cert* (in decoded format as returned by
-        SSLSocket.getpeercert()) matches the *hostname*.  RFC 2818 rules
-        are mostly followed, but IP addresses are not accepted for *hostname*.
-+        SSLSocket.getpeercert()) matches the *hostname*.  RFC 2818 and RFC 6125
-+        rules are followed, but IP addresses are not accepted for *hostname*.
- 
-         CertificateError is raised on failure. On success, the function
-         returns nothing.
-@@ -115,7 +164,7 @@
+@@ -122,7 +163,7 @@ except ImportError:
         san = cert.get('subjectAltName', ())
         for key, value in san:
             if key == 'DNS':
@ -99,7 +99,7 @@ diff -u b/setuptools/ssl_support.py b/setuptools/ssl_support.py
                     return
                 dnsnames.append(value)
         if not dnsnames:
-@@ -126,7 +175,7 @@
+@@ -133,7 +174,7 @@ except ImportError:
                     # XXX according to RFC 2818, the most specific Common Name
                     # must be used.
                     if key == 'commonName':