New submission from Christian Heimes <li...@cheimes.de>:
inet_aton accepts trailing characterrs after a valid IP ( https://bugzilla.redhat.com/show_bug.cgi?id=1347549). This, in combination with its use inside ssl.match_hostname, allows the following code to work when it should fail: import ssl cert = {'subjectAltName': (('IP Address', '1.1.1.1'),)} ssl.match_hostname(cert, '1.1.1.1 ; this should not work but does') The bug was initially found by Dominik Czarnota and reported by Paul Kehrer. The issue was introduced in commit aef1283ba428e33397d87cee3c54a5110861552d / bpo-32819. Only 3.7 and newer are affected. It's a potential security bug although low severity. For one Python 3.7 and newer no longer use ssl.match_hostname() to verify hostnames and IP addresses of a certificate. Matching is performed by OpenSSL. ---------- assignee: christian.heimes components: SSL keywords: 3.7regression messages: 346964 nosy: alex, christian.heimes, dstufft, janssen, lukasz.langa, ned.deily priority: release blocker severity: normal stage: needs patch status: open title: socket.inet_aton IP parsing issue in ssl.match_hostname type: security versions: Python 3.7, Python 3.8, Python 3.9 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue37463> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
