[New-bugs-announce] [issue17997] ssl.match_hostname(): sub string wildcard should not match IDNA prefix
Christian Heimes
report at bugs.python.org
Fri May 17 16:04:53 CEST 2013
New submission from Christian Heimes:
Python's ssl.match_hostname() does sub string matching as specified in RFC 2818:
Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment. E.g., *.a.com matches foo.a.com but
not bar.foo.a.com. f*.com matches foo.com but not bar.com.
The RFC doesn't specify how internationalized domain names shoould be handled because it predates RFC 5890 for IDNA by many year. IDNA are prefixed with "xn--", e.g. u"götter.example.de".encode("idna") ==
"xn--gtter-jua.example.de". This can result into false positive matches for a rule like "x*.example.de".
Chrome has special handling for IDN prefix in X509Certificate::VerifyHostname()
http://src.chromium.org/viewvc/chrome/trunk/src/net/cert/x509_certificate.cc
Also see #17980
----------
messages: 189454
nosy: christian.heimes, pitrou
priority: critical
severity: normal
stage: needs patch
status: open
title: ssl.match_hostname(): sub string wildcard should not match IDNA prefix
type: security
versions: Python 3.3, Python 3.4
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue17997>
_______________________________________
More information about the New-bugs-announce
mailing list