From 636f93c63ba286249c1207e3a903f8429efb2041 Mon Sep 17 00:00:00 2001
From: Antoine Pitrou <solipsis@pitrou.net>
Date: Sat, 18 May 2013 17:56:42 +0200
Subject: Issue #17980: Fix possible abuse of ssl.match_hostname() for denial
 of service using certificates with many wildcards (CVE-2013-2099).

---
 Lib/ssl.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'Lib/ssl.py')

diff --git a/Lib/ssl.py b/Lib/ssl.py
index 6ff5c538842..30ee13b2070 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -129,9 +129,16 @@ class CertificateError(ValueError):
     pass
 
 
-def _dnsname_to_pat(dn):
+def _dnsname_to_pat(dn, max_wildcards=1):
     pats = []
     for frag in dn.split(r'.'):
+        if frag.count('*') > max_wildcards:
+            # Issue #17980: avoid denials of service by refusing more
+            # than one wildcard per fragment.  A survery of established
+            # policy among SSL implementations showed it to be a
+            # reasonable choice.
+            raise CertificateError(
+                "too many wildcards in certificate DNS name: " + repr(dn))
         if frag == '*':
             # When '*' is a fragment by itself, it matches a non-empty dotless
             # fragment.
-- 
cgit v1.2.3