ssl.match_hostname() ignores extra string after whitespace in IPv4 address

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

inet_aton() accepts trailing characters after a valid IP. Because of that, Python ssl.match_hostname('1.1.1.1 ; this should not work but does') succeeded when it should fail.

The issue was introduced in bpo-32819 by commit aef1283b. Only Python 3.7 and newer are affected. It’s a potential security bug although low severity. For one Python 3.7 and newer no longer use ssl.match_hostname() to verify hostnames and IP addresses of a certificate: matching is performed by OpenSSL.

It should not possible to register a x509 certificate with a hostname with spaces.

The glibc function inet_aton() accepts input as valid if said input is a IPv4 address followed by zero or more characters that are valid white-space as decided by isspace(), with the rest of the string after the first white-space being ignored. As '\r' is a valid white-space character the rest of the string is ignored (including the '\r'). See glibc bug 24111: Deprecate inet_addr, inet_aton.

Dates:

  • Disclosure date: 2019-07-01 (Python issue bpo-37463 reported)
  • Reported at: 2019-06-07 (email to PSRT)
  • Reported by: bug found by Dominik Czarnota, reported by Paul Kehrer

Fixed In

Python issue

ssl.match_hostname() ignores extra string after whitespace in IPv4 address.

  • Python issue: bpo-37463
  • Creation date: 2019-07-01
  • Reporter: Christian Heimes

Timeline

Timeline using the disclosure date 2019-07-01 as reference: