ssl.match_hostname() ignores extra string after whitespace in IPv4 address¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.
inet_aton()
accepts trailing characters after a valid IP. Because of
that, Python ssl.match_hostname('1.1.1.1 ; this should not work but does')
succeeded when it should fail.
The issue was introduced in bpo-32819 by commit aef1283b.
Only Python 3.7 and newer are affected. It’s a potential security bug
although low severity. For one Python 3.7 and newer no longer use
ssl.match_hostname()
to verify hostnames and IP addresses of a
certificate: matching is performed by OpenSSL.
It should not possible to register a x509 certificate with a hostname with spaces.
The glibc function inet_aton()
accepts input as valid if said input is
a IPv4 address followed by zero or more characters that are valid
white-space as decided by isspace()
, with the rest of the string after
the first white-space being ignored. As '\r'
is a valid white-space
character the rest of the string is ignored (including the '\r'
). See
glibc bug 24111: Deprecate inet_addr, inet_aton.
Dates:
- Disclosure date: 2019-07-01 (Python issue bpo-37463 reported)
- Reported at: 2019-06-07 (email to PSRT)
- Reported by: bug found by Dominik Czarnota, reported by Paul Kehrer
Fixed In¶
- Python 3.7.4 (2019-07-08) fixed by commit 070fae6 (branch 3.7) (2019-07-02)
- Python 3.8.0 (2019-10-14) fixed by commit 3cba3d3 (branch 3.8) (2019-07-02)
Python issue¶
ssl.match_hostname() ignores extra string after whitespace in IPv4 address.
- Python issue: bpo-37463
- Creation date: 2019-07-01
- Reporter: Christian Heimes
Timeline¶
Timeline using the disclosure date 2019-07-01 as reference:
- 2019-06-07 (-24 days): Reported (email to PSRT)
- 2019-07-01: Python issue bpo-37463 reported by Christian Heimes
- 2019-07-02 (+1 days): commit 070fae6 (branch 3.7)
- 2019-07-02 (+1 days): commit 3cba3d3 (branch 3.8)
- 2019-07-08 (+7 days): Python 3.7.4 released
- 2019-10-14: Python 3.8.0 released