[issue17980] CVE-2013-2099 ssl.match_hostname() trips over crafted wildcard names
Antoine Pitrou
report at bugs.python.org
Thu May 16 20:13:19 CEST 2013
Antoine Pitrou added the comment:
> Wildcard matching can easily be done in worst-case linear time, but
> not with regexps. doctest.py's internal _ellipsis_match() shows one
> way to do it (doctest can use "..." as a wildcard marker).
Thanks, this may be a nice enhancement for 3.4.
For 3.2 and 3.3, I'd prefer to go the safe way of simply limiting the
number of wildcards. If OpenSSL only accepts one per fragment, accepting
one or two is certainly fine for Python as well :-)
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue17980>
_______________________________________
More information about the Python-bugs-list
mailing list