Christian Heimes added the comment: Ryan Sleevi of the Google Chrome Security Team has informed us about another issue that is caused by our failure to implement RFC 6125 wildcard matching rules. RFC 6125 allows only one wildcard in the left-most fragment of a hostname. For security reasons matching rules like *.*.com should be not supported.
For wildcards in internationalized domain names I have followed the piece of advice "In the face of ambiguity, refuse the temptation to guess.". A substring wildcard does no longer match an IDN A-label fragment. '*' still matches a full punycode fragment but 'x*' no longer matches 'xn--foo'. I copied the idea from Chrome's matching code: http://src.chromium.org/viewvc/chrome/trunk/src/net/cert/x509_certificate.cc?revision=212341#l640 // * must not match a substring of an IDN A label; just a whole fragment. if (reference_host.starts_with("xn--") && !(pattern_begin.empty() && pattern_end.empty())) continue; The relevant RFC section for the patch are http://tools.ietf.org/html/rfc6125#section-6.4.3 http://tools.ietf.org/html/rfc2818#section-3.1 http://tools.ietf.org/html/rfc2459#section-4.2.1.7 http://tools.ietf.org/html/rfc5280#section-7 ---------- keywords: +patch stage: needs patch -> patch review versions: +Python 3.2 Added file: http://bugs.python.org/file31245/match_hostname_RFC6125.patch _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue17997> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
