This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients Arfrever, christian.heimes, loewis, pitrou
Date 2013-08-12.12:47:56
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1376311677.06.0.356846809399.issue17997@psf.upfronthosting.co.za>
In-reply-to
Content
Ryan Sleevi of the Google Chrome Security Team has informed us about another issue that is caused by our failure to implement RFC 6125 wildcard matching rules. RFC 6125 allows only one wildcard in the left-most fragment of a hostname. For security reasons matching rules like *.*.com should be not supported.

For wildcards in internationalized domain names I have followed  	the piece of advice "In the face of ambiguity, refuse the temptation to guess.". A substring wildcard does no longer match an IDN A-label fragment. '*' still matches a full punycode fragment but 'x*' no longer matches 'xn--foo'. I copied the idea from Chrome's matching code:

http://src.chromium.org/viewvc/chrome/trunk/src/net/cert/x509_certificate.cc?revision=212341#l640

        // * must not match a substring of an IDN A label; just a whole fragment.
        if (reference_host.starts_with("xn--") &&
        !(pattern_begin.empty() && pattern_end.empty()))
        continue;

The relevant RFC section for the patch are

  http://tools.ietf.org/html/rfc6125#section-6.4.3
  http://tools.ietf.org/html/rfc2818#section-3.1
  http://tools.ietf.org/html/rfc2459#section-4.2.1.7
  http://tools.ietf.org/html/rfc5280#section-7
History
Date User Action Args
2013-08-12 12:47:57christian.heimessetrecipients: + christian.heimes, loewis, pitrou, Arfrever
2013-08-12 12:47:57christian.heimessetmessageid: <1376311677.06.0.356846809399.issue17997@psf.upfronthosting.co.za>
2013-08-12 12:47:57christian.heimeslinkissue17997 messages
2013-08-12 12:47:56christian.heimescreate