New submission from Christian Heimes:
Python's ssl.match_hostname() does sub string matching as specified in RFC 2818:
Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment. E.g., *.a.com matches foo.a.com but
not bar.foo.a.com. f*.com matches foo.com but not bar.com.
The RFC doesn't specify how internationalized domain names shoould be handled
because it predates RFC 5890 for IDNA by many year. IDNA are prefixed with
"xn--", e.g. u"götter.example.de".encode("idna") ==
"xn--gtter-jua.example.de". This can result into false positive matches for a
rule like "x*.example.de".
Chrome has special handling for IDN prefix in X509Certificate::VerifyHostname()
http://src.chromium.org/viewvc/chrome/trunk/src/net/cert/x509_certificate.cc
Also see #17980
----------
messages: 189454
nosy: christian.heimes, pitrou
priority: critical
severity: normal
stage: needs patch
status: open
title: ssl.match_hostname(): sub string wildcard should not match IDNA prefix
type: security
versions: Python 3.3, Python 3.4
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue17997>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
