inet_aton() accepts trailing characters after a valid IP. Because of that, Python ssl.match_hostname('1.1.1.1 ; this should not work but does') succeeded when it should fail.
The issue was introduced in bpo-32819 by commit aef1283b. Only Python 3.7 and newer are affected. It’s a potential security bug although low severity. For one Python 3.7 and newer no longer use ssl.match_hostname() to verify hostnames and IP addresses of a certificate: matching is performed by OpenSSL.
It should not possible to register a x509 certificate with a hostname with spaces.
The glibc function inet_aton() accepts input as valid if said input is a IPv4 address followed by zero or more characters that are valid white-space as decided by isspace(), with the rest of the string after the first white-space being ignored. As '\r' is a valid white-space character the rest of the string is ignored (including the '\r'). See glibc bug 24111: Deprecate inet_addr, inet_aton.
Dates:
Disclosure date: 2019-07-01 (Python issue bpo-37463 reported)
Reported at: 2019-06-07 (email to PSRT)
Reported by: bug found by Dominik Czarnota, reported by Paul Kehrer
Python 3.7.4 (2019-07-08) fixed by commit 070fae6 (branch 3.7) (2019-07-02)
Python 3.8.0 (2019-10-14) fixed by commit 3cba3d3 (branch 3.8) (2019-07-02)
ssl.match_hostname() ignores extra string after whitespace in IPv4 address.
Python issue: bpo-37463
Creation date: 2019-07-01
Reporter: Christian Heimes
Timeline using the disclosure date 2019-07-01 as reference:
2019-06-07 (-24 days): Reported (email to PSRT)
2019-07-01: Python issue bpo-37463 reported by Christian Heimes
2019-07-02 (+1 days): commit 070fae6 (branch 3.7)
2019-07-02 (+1 days): commit 3cba3d3 (branch 3.8)
2019-07-08 (+7 days): Python 3.7.4 released
2019-10-14: Python 3.8.0 released
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4