Hopiu/linkchecker
1
0
Fork 0
mirror of https://github.com/Hopiu/linkchecker.git synced 2026-05-21 21:01:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Avoid DoS in SSL certificate host matching.

Browse source
This commit is contained in:
Bastian Kleineidam 2013-11-30 22:07:23 +01:00
parent 83ec53688d
commit c676a4c829
2 changed files with 9 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
doc/changelog.txt
View file

@ -2,6 +2,7 @@
Features:
- checking: Make per-host connection limits configurable.
- checking: Avoid DoS in SSL certificate host matcher.
Changes:
- checking: Always use the W3C validator to check HTML or CSS syntax.

9
linkcheck/checker/httpsurl.py
View file

@ -118,10 +118,17 @@ class CertificateError(ValueError):
pass
def _dnsname_to_pat(dn):
def _dnsname_to_pat(dn, max_wildcards=1):
"""Convert a DNS certificate name to a hostname matcher."""
pats = []
for frag in dn.split(r'.'):
if frag.count('*') > max_wildcards:
# Issue #17980: avoid denials of service by refusing more
# than one wildcard per fragment. A survery of established
# policy among SSL implementations showed it to be a
# reasonable choice.
raise CertificateError(
"too many wildcards in certificate DNS name: " + repr(dn))
if frag == '*':
# When '*' is a fragment by itself, it matches a non-empty dotless
# fragment.