rpms/python-setuptools
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update patch for wildcard idna fix to apply against the 1.1.7 release

Browse Source
This commit is contained in:
Toshio Kuratomi 2013-10-28 12:38:40 -07:00
parent 6aabe0a6b3
commit 92e8e94216
1 changed files with 15 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
setuptools-ssl-match_hostname-wildcard.patch
View File

@ -1,7 +1,8 @@
diff -u b/setuptools/ssl_support.py b/setuptools/ssl_support.py Index: setuptools-1.1.7/setuptools/ssl_support.py
--- b/setuptools/ssl_support.py ===================================================================
+++ b/setuptools/ssl_support.py --- setuptools-1.1.7.orig/setuptools/ssl_support.py
@@ -85,26 +85,75 @@ +++ setuptools-1.1.7/setuptools/ssl_support.py
@@ -85,28 +85,69 @@ except ImportError:
try: try:
from ssl import CertificateError, match_hostname from ssl import CertificateError, match_hostname
except ImportError: except ImportError:
@ -16,7 +17,7 @@ diff -u b/setuptools/ssl_support.py b/setuptools/ssl_support.py
class CertificateError(ValueError): class CertificateError(ValueError):
pass pass
- def _dnsname_to_pat(dn): - def _dnsname_to_pat(dn, max_wildcards=1):
+if not match_hostname: +if not match_hostname:
+ def _dnsname_match(dn, hostname, max_wildcards=1): + def _dnsname_match(dn, hostname, max_wildcards=1):
+ """Matching according to RFC 6125, section 6.4.3 + """Matching according to RFC 6125, section 6.4.3
@ -25,6 +26,13 @@ diff -u b/setuptools/ssl_support.py b/setuptools/ssl_support.py
+ """ + """
pats = [] pats = []
- for frag in dn.split(r'.'): - for frag in dn.split(r'.'):
- if frag.count('*') > max_wildcards:
- # Issue #17980: avoid denials of service by refusing more
- # than one wildcard per fragment. A survery of established
- # policy among SSL implementations showed it to be a
- # reasonable choice.
- raise CertificateError(
- "too many wildcards in certificate DNS name: " + repr(dn))
- if frag == '*': - if frag == '*':
- # When '*' is a fragment by itself, it matches a non-empty dotless - # When '*' is a fragment by itself, it matches a non-empty dotless
- # fragment. - # fragment.
@ -79,18 +87,10 @@ diff -u b/setuptools/ssl_support.py b/setuptools/ssl_support.py
+ +
+ pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE) + pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE)
+ return pat.match(hostname) + return pat.match(hostname)
+
def match_hostname(cert, hostname): def match_hostname(cert, hostname):
"""Verify that *cert* (in decoded format as returned by """Verify that *cert* (in decoded format as returned by
- SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 rules @@ -122,7 +163,7 @@ except ImportError:
- are mostly followed, but IP addresses are not accepted for *hostname*.
+ SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125
+ rules are followed, but IP addresses are not accepted for *hostname*.
CertificateError is raised on failure. On success, the function
returns nothing.
@@ -115,7 +164,7 @@
san = cert.get('subjectAltName', ()) san = cert.get('subjectAltName', ())
for key, value in san: for key, value in san:
if key == 'DNS': if key == 'DNS':
@ -99,7 +99,7 @@ diff -u b/setuptools/ssl_support.py b/setuptools/ssl_support.py
return return
dnsnames.append(value) dnsnames.append(value)
if not dnsnames: if not dnsnames:
@@ -126,7 +175,7 @@ @@ -133,7 +174,7 @@ except ImportError:
# XXX according to RFC 2818, the most specific Common Name # XXX according to RFC 2818, the most specific Common Name
# must be used. # must be used.
if key == 'commonName': if key == 'commonName':