ssl.match_hostname() ignores extra string after whitespace in IPv4 address¶
inet_aton() accepts trailing characters after a valid IP. Because of
ssl.match_hostname('220.127.116.11 ; this should not work but does')
succeeded when it should fail.
The issue was introduced in bpo-32819 by commit aef1283b.
Only Python 3.7 and newer are affected. It’s a potential security bug
although low severity. For one Python 3.7 and newer no longer use
ssl.match_hostname() to verify hostnames and IP addresses of a
certificate: matching is performed by OpenSSL.
It should not possible to register a x509 certificate with a hostname with spaces.
The glibc function
inet_aton() accepts input as valid if said input is
a IPv4 address followed by zero or more characters that are valid
white-space as decided by
isspace(), with the rest of the string after
the first white-space being ignored. As
'\r' is a valid white-space
character the rest of the string is ignored (including the
glibc bug 24111: Deprecate inet_addr, inet_aton.
- Disclosure date: 2019-07-01 (Python issue bpo-37463 reported)
- Reported at: 2019-06-07 (email to PSRT)
- Reported by: bug found by Dominik Czarnota, reported by Paul Kehrer
socket.inet_aton IP parsing issue in ssl.match_hostname.
- Python issue: bpo-37463
- Creation date: 2019-07-01
- Reporter: Christian Heimes
Timeline using the disclosure date 2019-07-01 as reference: