match_hostname function from system ssl module should be used
Bug #1538480 reported by
Vincent Ladeuil
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Bazaar |
Fix Released
|
High
|
Vincent Ladeuil |
Bug Description
From the mailing list:
bzr's contains a copy of match_hostname implementation from Python 3
which wildcard matching rules do not follow RFC 6125, in consequence it
can be
used for DoS attack [0] . Since Python v2.7.9 is ssl.match_hostname
fully merged
into the standard library and should be used instead of implementation
inside
bzrlib/
Possible patch is available here [2]. May tests for matching hostname
could be removed
completely, when ssl library is used.
Related branches
lp:~vila/bzr/1538480-match-hostname
- Richard Wilbur: Approve
-
Diff: 364 lines (+75/-127)4 files modifiedbzrlib/errors.py (+1/-9)
bzrlib/tests/test_https_urllib.py (+32/-28)
bzrlib/transport/http/_urllib2_wrappers.py (+39/-90)
doc/en/release-notes/bzr-2.7.txt (+3/-0)
Changed in bzr: | |
status: | In Progress → Fix Released |
To post a comment you must log in.