From c676a4c829ee31857485400e106b5d623610029d Mon Sep 17 00:00:00 2001
From: Bastian Kleineidam <bastian.kleineidam@web.de>
Date: Sat, 30 Nov 2013 22:07:23 +0100
Subject: [PATCH] Avoid DoS in SSL certificate host matching.

---
 doc/changelog.txt             | 1 +
 linkcheck/checker/httpsurl.py | 9 ++++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/doc/changelog.txt b/doc/changelog.txt
index 633959d3..348ab828 100644
--- a/doc/changelog.txt
+++ b/doc/changelog.txt
@@ -2,6 +2,7 @@
 
 Features:
 - checking: Make per-host connection limits configurable.
+- checking: Avoid DoS in SSL certificate host matcher.
 
 Changes:
 - checking: Always use the W3C validator to check HTML or CSS syntax.
diff --git a/linkcheck/checker/httpsurl.py b/linkcheck/checker/httpsurl.py
index 16f89642..c1c97422 100644
--- a/linkcheck/checker/httpsurl.py
+++ b/linkcheck/checker/httpsurl.py
@@ -118,10 +118,17 @@ class CertificateError(ValueError):
     pass
 
 
-def _dnsname_to_pat(dn):
+def _dnsname_to_pat(dn, max_wildcards=1):
     """Convert a DNS certificate name to a hostname matcher."""
     pats = []
     for frag in dn.split(r'.'):
+        if frag.count('*') > max_wildcards:
+            # Issue #17980: avoid denials of service by refusing more
+            # than one wildcard per fragment.  A survery of established
+            # policy among SSL implementations showed it to be a
+            # reasonable choice.
+            raise CertificateError(
+                "too many wildcards in certificate DNS name: " + repr(dn))
         if frag == '*':
             # When '*' is a fragment by itself, it matches a non-empty dotless
             # fragment.