# HG changeset patch
# User Antoine Pitrou <solipsis@pitrou.net>
# Date 1368892602 -7200
# Node ID c627638753e2d25a98950585b259104a025937a9
# Parent  9682241dc8fcb4b1aef083bd30860efa070c3d6d
Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).

Index: backports.ssl_match_hostname-3.2a3/src/backports/ssl_match_hostname/__init__.py
===================================================================
--- backports.ssl_match_hostname-3.2a3.orig/src/backports/ssl_match_hostname/__init__.py
+++ backports.ssl_match_hostname-3.2a3/src/backports/ssl_match_hostname/__init__.py
@@ -7,9 +7,16 @@ __version__ = '3.2.2'
 class CertificateError(ValueError):
     pass
 
-def _dnsname_to_pat(dn):
+def _dnsname_to_pat(dn, max_wildcards=1):
     pats = []
     for frag in dn.split(r'.'):
+        if frag.count('*') > max_wildcards:
+            # Issue #17980: avoid denials of service by refusing more
+            # than one wildcard per fragment.  A survery of established
+            # policy among SSL implementations showed it to be a
+            # reasonable choice.
+            raise CertificateError(
+                "too many wildcards in certificate DNS name: " + repr(dn))
         if frag == '*':
             # When '*' is a fragment by itself, it matches a non-empty dotless
             # fragment.