.. _ssl-match_hostname-ipv4-trailing:

ssl.match_hostname() ignores extra string after whitespace in IPv4 address
==========================================================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This database can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=PSF>`_.

``inet_aton()`` accepts trailing characters after a valid IP.  Because of
that, Python ``ssl.match_hostname('1.1.1.1 ; this should not work but does')``
succeeded when it should fail.

The issue was introduced in `bpo-32819
<https://bugs.python.org/issue32819>`_ by `commit aef1283b
<https://github.com/python/cpython/commit/aef1283ba428e33397d87cee3c54a5110861552d>`_.
Only Python 3.7 and newer are affected. It's a potential security bug
although **low severity**. For one Python 3.7 and newer **no longer use**
``ssl.match_hostname()`` to verify hostnames and IP addresses of a
certificate: **matching is performed by OpenSSL**.

It should not possible to register a x509 certificate with a hostname with
spaces.

The glibc function ``inet_aton()`` accepts input as valid if said input is
a IPv4 address followed by zero or more characters that are valid
white-space as decided by ``isspace()``, with the rest of the string after
the first white-space being ignored. As ``'\r'`` is a valid white-space
character the rest of the string is ignored (including the ``'\r'``). See
`glibc bug 24111: Deprecate inet_addr, inet_aton
<https://sourceware.org/bugzilla/show_bug.cgi?id=24111>`_.

Dates:

* Disclosure date: **2019-07-01** (Python issue bpo-37463 reported)
* Reported at: 2019-06-07 (email to PSRT)
* Reported by: bug found by Dominik Czarnota, reported by Paul Kehrer

Fixed In
--------

* Python **3.7.4** (2019-07-08) fixed by `commit 070fae6 (branch 3.7) <https://github.com/python/cpython/commit/070fae6d0ff49e63bfd5f2bdc66f8eb1df3b6557>`_ (2019-07-02)
* Python **3.8.0** (2019-10-14) fixed by `commit 3cba3d3 (branch 3.8) <https://github.com/python/cpython/commit/3cba3d3c55f230a59174a0dfcafb1d4685269e60>`_ (2019-07-02)

Python issue
------------

ssl.match_hostname() ignores extra string after whitespace in IPv4 address.

* Python issue: `bpo-37463 <https://bugs.python.org/issue37463>`_
* Creation date: 2019-07-01
* Reporter: Christian Heimes

Timeline
--------

Timeline using the disclosure date **2019-07-01** as reference:

* 2019-06-07 (**-24 days**): Reported (email to PSRT)
* 2019-07-01: `Python issue bpo-37463 <https://bugs.python.org/issue37463>`_ reported by Christian Heimes
* 2019-07-02 (**+1 days**): `commit 070fae6 (branch 3.7) <https://github.com/python/cpython/commit/070fae6d0ff49e63bfd5f2bdc66f8eb1df3b6557>`_
* 2019-07-02 (**+1 days**): `commit 3cba3d3 (branch 3.8) <https://github.com/python/cpython/commit/3cba3d3c55f230a59174a0dfcafb1d4685269e60>`_
* 2019-07-08 (**+7 days**): Python 3.7.4 released
* 2019-10-14: Python 3.8.0 released