ssl.match_hostname() ignores extra string after whitespace in IPv4 address

inet_aton() accepts trailing characters after a valid IP. Because of that, Python ssl.match_hostname('1.1.1.1 ; this should not work but does') succeeded when it should fail.

The issue was introduced in bpo-32819 by commit aef1283b. Only Python 3.7 and newer are affected. It’s a potential security bug although low severity. For one Python 3.7 and newer no longer use ssl.match_hostname() to verify hostnames and IP addresses of a certificate: matching is performed by OpenSSL.

It should not possible to register a x509 certificate with a hostname with spaces.

The glibc function inet_aton() accepts input as valid if said input is a IPv4 address followed by zero or more characters that are valid white-space as decided by isspace(), with the rest of the string after the first white-space being ignored. As '\r' is a valid white-space character the rest of the string is ignored (including the '\r'). See glibc bug 24111: Deprecate inet_addr, inet_aton.

  • Disclosure date: 2019-07-01 (Python issue bpo-37463 reported)
  • Reported at: 2019-06-07 (email to PSRT)
  • Reported by: bug found by Dominik Czarnota, reported by Paul Kehrer

Fixed In

Python issue

socket.inet_aton IP parsing issue in ssl.match_hostname.

  • Python issue: bpo-37463
  • Creation date: 2019-07-01
  • Reporter: Christian Heimes

Timeline

Timeline using the disclosure date 2019-07-01 as reference: