New submission from David Watson <bai...@users.sourceforge.net>:
Changeset fd10d042b41d removed the wrappers on ssl.SSLSocket for
the new socket.send/recvmsg() methods (since I forgot to check
for the existence of the underlying methods - see issue #6560),
but this leaves SSLSocket with send/recvmsg() methods inherited
from the underlying socket type; thus SSLSocket.sendmsg() will
insert the given data into the stream without encrypting it (or
wrapping it in SSL in any way).
This immediately screws up the SSL connection, resulting in
receive errors at both ends ("SSL3_GET_RECORD:wrong version
number" and the like), but the data is clearly visible in a
packet capture, so it's too late if it was actually something
secret.
Correspondingly, recvmsg() and recvmsg_into() return the
encrypted data, and screw up the connection by removing it from
the SSL stream.
Of course, these methods don't make sense over SSL anyway, but if
the programmer naively assumes they do, then ideally they should
not expose any secret information.
Attaching a patch implementing Antoine Pitrou's suggestion that
the methods should simply raise NotImplementedError. I don't
know if these versions should also be added only if present on
the underlying socket - they're Not Implemented either way :-)
----------
components: Library (Lib)
files: ssl_sendrecvmsg_notimplemented.diff
keywords: patch
messages: 142900
nosy: baikie
priority: normal
severity: normal
status: open
title: Missing SSLSocket.sendmsg() wrapper allows programs to send unencrypted
data by mistake
versions: Python 3.3
Added file: http://bugs.python.org/file23030/ssl_sendrecvmsg_notimplemented.diff
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue12835>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
