From 92e8e94216c40723986219be21b38ceb8bde9d5d Mon Sep 17 00:00:00 2001 From: Toshio Kuratomi Date: Mon, 28 Oct 2013 12:38:40 -0700 Subject: [PATCH] Update patch for wildcard idna fix to apply against the 1.1.7 release --- setuptools-ssl-match_hostname-wildcard.patch | 30 ++++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/setuptools-ssl-match_hostname-wildcard.patch b/setuptools-ssl-match_hostname-wildcard.patch index b20ed12..d0a1c93 100644 --- a/setuptools-ssl-match_hostname-wildcard.patch +++ b/setuptools-ssl-match_hostname-wildcard.patch @@ -1,7 +1,8 @@ -diff -u b/setuptools/ssl_support.py b/setuptools/ssl_support.py ---- b/setuptools/ssl_support.py -+++ b/setuptools/ssl_support.py -@@ -85,26 +85,75 @@ +Index: setuptools-1.1.7/setuptools/ssl_support.py +=================================================================== +--- setuptools-1.1.7.orig/setuptools/ssl_support.py ++++ setuptools-1.1.7/setuptools/ssl_support.py +@@ -85,28 +85,69 @@ except ImportError: try: from ssl import CertificateError, match_hostname except ImportError: @@ -16,7 +17,7 @@ diff -u b/setuptools/ssl_support.py b/setuptools/ssl_support.py class CertificateError(ValueError): pass -- def _dnsname_to_pat(dn): +- def _dnsname_to_pat(dn, max_wildcards=1): +if not match_hostname: + def _dnsname_match(dn, hostname, max_wildcards=1): + """Matching according to RFC 6125, section 6.4.3 @@ -25,6 +26,13 @@ diff -u b/setuptools/ssl_support.py b/setuptools/ssl_support.py + """ pats = [] - for frag in dn.split(r'.'): +- if frag.count('*') > max_wildcards: +- # Issue #17980: avoid denials of service by refusing more +- # than one wildcard per fragment. A survery of established +- # policy among SSL implementations showed it to be a +- # reasonable choice. +- raise CertificateError( +- "too many wildcards in certificate DNS name: " + repr(dn)) - if frag == '*': - # When '*' is a fragment by itself, it matches a non-empty dotless - # fragment. @@ -79,18 +87,10 @@ diff -u b/setuptools/ssl_support.py b/setuptools/ssl_support.py + + pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE) + return pat.match(hostname) -+ def match_hostname(cert, hostname): """Verify that *cert* (in decoded format as returned by -- SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 rules -- are mostly followed, but IP addresses are not accepted for *hostname*. -+ SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125 -+ rules are followed, but IP addresses are not accepted for *hostname*. - - CertificateError is raised on failure. On success, the function - returns nothing. -@@ -115,7 +164,7 @@ +@@ -122,7 +163,7 @@ except ImportError: san = cert.get('subjectAltName', ()) for key, value in san: if key == 'DNS': @@ -99,7 +99,7 @@ diff -u b/setuptools/ssl_support.py b/setuptools/ssl_support.py return dnsnames.append(value) if not dnsnames: -@@ -126,7 +175,7 @@ +@@ -133,7 +174,7 @@ except ImportError: # XXX according to RFC 2818, the most specific Common Name # must be used. if key == 'commonName':