python-pip/0001-fix-for-http-bugs.python.org-issue17980-in-code-back.patch

From ca207acb4fdea344bb3a775d44aa0d9f59ad31a1 Mon Sep 17 00:00:00 2001
From: Toshio Kuratomi <toshio@fedoraproject.org>
Date: Mon, 15 Jul 2013 10:58:20 -0700
Subject: [PATCH] fix for http://bugs.python.org/issue17980 in code backported
 from the python3 stdlib

---
 pip/backwardcompat/ssl_match_hostname.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/pip/backwardcompat/ssl_match_hostname.py b/pip/backwardcompat/ssl_match_hostname.py
index 5707649..a6fadf4 100644
--- a/pip/backwardcompat/ssl_match_hostname.py
+++ b/pip/backwardcompat/ssl_match_hostname.py
@@ -7,9 +7,17 @@ __version__ = '3.2a3'
 class CertificateError(ValueError):
     pass
 
-def _dnsname_to_pat(dn):
+def _dnsname_to_pat(dn, max_wildcards=1):
     pats = []
     for frag in dn.split(r'.'):
+        if frag.count('*') > max_wildcards:
+            # Issue #17980: avoid denials of service by refusing more
+            # than one wildcard per fragment.  A survery of established
+            # policy among SSL implementations showed it to be a
+            # reasonable choice.
+            raise CertificateError(
+                "too many wildcards in certificate DNS name: " + repr(dn))
+
         if frag == '*':
             # When '*' is a fragment by itself, it matches a non-empty dotless
             # fragment.
-- 
1.7.11.7
Fix for CVE 2013-2099 2013-07-16 20:33:11 +00:00			`From ca207acb4fdea344bb3a775d44aa0d9f59ad31a1 Mon Sep 17 00:00:00 2001`
			`From: Toshio Kuratomi <toshio@fedoraproject.org>`
			`Date: Mon, 15 Jul 2013 10:58:20 -0700`
			`Subject: [PATCH] fix for http://bugs.python.org/issue17980 in code backported`
			`from the python3 stdlib`

			`---`
			`pip/backwardcompat/ssl_match_hostname.py \| 10 +++++++++-`
			`1 file changed, 9 insertions(+), 1 deletion(-)`

			`diff --git a/pip/backwardcompat/ssl_match_hostname.py b/pip/backwardcompat/ssl_match_hostname.py`
			`index 5707649..a6fadf4 100644`
			`--- a/pip/backwardcompat/ssl_match_hostname.py`
			`+++ b/pip/backwardcompat/ssl_match_hostname.py`
			`@@ -7,9 +7,17 @@ __version__ = '3.2a3'`
			`class CertificateError(ValueError):`
			`pass`

			`-def _dnsname_to_pat(dn):`
			`+def _dnsname_to_pat(dn, max_wildcards=1):`
			`pats = []`
			`for frag in dn.split(r'.'):`
			`+ if frag.count('*') > max_wildcards:`
			`+ # Issue #17980: avoid denials of service by refusing more`
			`+ # than one wildcard per fragment. A survery of established`
			`+ # policy among SSL implementations showed it to be a`
			`+ # reasonable choice.`
			`+ raise CertificateError(`
			`+ "too many wildcards in certificate DNS name: " + repr(dn))`
			`+`
			`if frag == '*':`
			`# When '*' is a fragment by itself, it matches a non-empty dotless`
			`# fragment.`
			`--`
			`1.7.11.7`