ssl.match_hostname() ignores extra string after whitespace in IPv4 address¶
inet_aton() accepts trailing characters after a valid IP. Because of
ssl.match_hostname('188.8.131.52 ; this should not work but does')
succeeded when it should fail.
The issue was introduced in bpo-32819 by commit aef1283b.
Only Python 3.7 and newer are affected. It’s a potential security bug
although low severity. For one Python 3.7 and newer no longer use
ssl.match_hostname() to verify hostnames and IP addresses of a
certificate: matching is performed by OpenSSL.
It should not possible to register a x509 certificate with a hostname with spaces.
The glibc function
inet_aton() accepts input as valid if said input is
a IPv4 address followed by zero or more characters that are valid
white-space as decided by
isspace(), with the rest of the string after
the first white-space being ignored. As
'\r' is a valid white-space
character the rest of the string is ignored (including the
glibc bug 24111: Deprecate inet_addr, inet_aton.
- Disclosure date: 2019-07-01 (Python issue bpo-37463 reported)
- Reported at: 2019-06-07 (email to PSRT)
- Reported by: bug found by Dominik Czarnota, reported by Paul Kehrer
socket.inet_aton IP parsing issue in ssl.match_hostname.
- Python issue: bpo-37463
- Creation date: 2019-07-01
- Reporter: Christian Heimes
Timeline using the disclosure date 2019-07-01 as reference:
- 2019-06-07 (-24 days): Reported (email to PSRT)
- 2019-07-01: Python issue bpo-37463 reported by Christian Heimes
- 2019-07-02 (+1 days): commit 070fae6 (branch 3.7)
- 2019-07-02 (+1 days): commit 3cba3d3 (branch 3.8)
- 2019-07-02 (+1 days): commit 477b1b2 (branch 3.9)
- 2019-07-09 (+8 days): Python 3.7.4 released
- 2019-10-14: Python 3.8.0 released