From: Ben Darnell Date: Fri, 24 May 2013 03:57:30 +0000 (-0400) Subject: Backport changes from ssl.match_hostname in Python 3.3. X-Git-Tag: v3.1.0~49 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a9c94f322e691d48151c1eb67f2742a39ad3ab46;p=thirdparty%2Ftornado.git Backport changes from ssl.match_hostname in Python 3.3. Includes two commits: * Fix potential CPU DoS via abusive wildcard pattern http://hg.python.org/cpython/rev/fafd33db6ff6 * Fall back to common name when SAN doesn't contain any DNS names http://hg.python.org/cpython/rev/1b37827984ba Closes #799. --- diff --git a/tornado/netutil.py b/tornado/netutil.py index 098f8bf8b..839c285e5 100644 --- a/tornado/netutil.py +++ b/tornado/netutil.py @@ -354,9 +354,16 @@ else: class SSLCertificateError(ValueError): pass - def _dnsname_to_pat(dn): + def _dnsname_to_pat(dn, max_wildcards=1): pats = [] for frag in dn.split(r'.'): + if frag.count('*') > max_wildcards: + # Issue #17980: avoid denials of service by refusing more + # than one wildcard per fragment. A survery of established + # policy among SSL implementations showed it to be a + # reasonable choice. + raise CertificateError( + "too many wildcards in certificate DNS name: " + repr(dn)) if frag == '*': # When '*' is a fragment by itself, it matches a non-empty dotless # fragment. @@ -384,8 +391,9 @@ else: if _dnsname_to_pat(value).match(hostname): return dnsnames.append(value) - if not san: - # The subject is only checked when subjectAltName is empty + if not dnsnames: + # The subject is only checked when there is no dNSName entry + # in subjectAltName for sub in cert.get('subject', ()): for key, value in sub: # XXX according to RFC 2818, the most specific Common Name