RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/python/cpython/commit/070fae6d0ff49e63bfd5f2bdc66f8eb1df3b6557 below:

match_hostname requires quad-dotted IPv4 (GH-14499) · python/cpython@070fae6 · GitHub

File tree Expand file treeCollapse file tree 3 files changed

+32

-10

lines changed

Filter options

Misc/NEWS.d/next/Security

Expand file treeCollapse file tree 3 files changed

+32

-10

lines changed Original file line number Diff line number Diff line change


 @@ -243,12 +243,22 @@ def _inet_paton(ipname):

243 243


  Supports IPv4 addresses on all platforms and IPv6 on platforms with IPv6

244 244


  support.

245 245

"""

246

-
 # inet_aton() also accepts strings like '1'

247

-
 if ipname.count('.') == 3:

248

-
 try:

249

-
 return _socket.inet_aton(ipname)

250

-
 except OSError:

251

-
 pass

246

+
 # inet_aton() also accepts strings like '1', '127.1', some also trailing

247

+
 # data like '127.0.0.1 whatever'.

248

+
 try:

249

+
 addr = _socket.inet_aton(ipname)

250

+
 except OSError:

251

+
 # not an IPv4 address

252

+
 pass

253

+
 else:

254

+
 if _socket.inet_ntoa(addr) == ipname:

255

+
 # only accept injective ipnames

256

+
 return addr

257

+
 else:

258

+
 # refuse for short IPv4 notation and additional trailing data

259

+
 raise ValueError(

260

+
 "{!r} is not a quad-dotted IPv4 address.".format(ipname)

261

+
 )

252 262 253 263


 try:

254 264


 return _socket.inet_pton(_socket.AF_INET6, ipname)


 @@ -262,14 +272,15 @@ def _inet_paton(ipname):

262 272


 raise ValueError("{!r} is not an IPv4 address.".format(ipname))

263 273 264 274 265

-
 def _ipaddress_match(ipname, host_ip):

275

+
 def _ipaddress_match(cert_ipaddress, host_ip):

266 276


 """Exact matching of IP addresses.

267 277 268 278


  RFC 6125 explicitly doesn't define an algorithm for this

269 279


  (section 1.7.2 - "Out of Scope").

270 280

"""

271

-
 # OpenSSL may add a trailing newline to a subjectAltName's IP address

272

-
 ip = _inet_paton(ipname.rstrip())

281

+
 # OpenSSL may add a trailing newline to a subjectAltName's IP address,

282

+
 # commonly woth IPv6 addresses. Strip off trailing \n.

283

+
 ip = _inet_paton(cert_ipaddress.rstrip())

273 284


 return ip == host_ip

274 285 275 286 Original file line number Diff line number Diff line change


 @@ -681,9 +681,14 @@ def fail(cert, hostname):

681 681


 cert = {'subject': ((('commonName', 'example.com'),),),

682 682


 'subjectAltName': (('DNS', 'example.com'),

683 683


 ('IP Address', '10.11.12.13'),

684

-
 ('IP Address', '14.15.16.17'))}

684

+
 ('IP Address', '14.15.16.17'),

685

+
 ('IP Address', '127.0.0.1'))}

685 686


 ok(cert, '10.11.12.13')

686 687


 ok(cert, '14.15.16.17')

688

+
 # socket.inet_ntoa(socket.inet_aton('127.1')) == '127.0.0.1'

689

+
 fail(cert, '127.1')

690

+
 fail(cert, '14.15.16.17 ')

691

+
 fail(cert, '14.15.16.17 extra data')

687 692


 fail(cert, '14.15.16.18')

688 693


 fail(cert, 'example.net')

689 694


 @@ -696,6 +701,8 @@ def fail(cert, hostname):

696 701


 ('IP Address', '2003:0:0:0:0:0:0:BABA\n'))}

697 702


 ok(cert, '2001::cafe')

698 703


 ok(cert, '2003::baba')

704

+
 fail(cert, '2003::baba ')

705

+
 fail(cert, '2003::baba extra data')

699 706


 fail(cert, '2003::bebe')

700 707


 fail(cert, 'example.net')

701 708 Original file line number Diff line number Diff line change


 @@ -0,0 +1,4 @@

1

+
 ssl.match_hostname() no longer accepts IPv4 addresses with additional text

2

+
 after the address and only quad-dotted notation without trailing

3

+
 whitespaces. Some inet_aton() implementations ignore whitespace and all data

4

+
 after whitespace, e.g. '127.0.0.1 whatever'.

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4