You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@libcloud.apache.org by to...@apache.org on 2012/09/10 23:53:41 UTC
svn commit: r1383122 - in /libcloud/trunk/libcloud: httplib_ssl.py
test/test_httplib_ssl.py
Author: tomaz
Date: Mon Sep 10 21:53:40 2012
New Revision: 1383122
URL: http://svn.apache.org/viewvc?rev=1383122&view=rev
Log:
Fix a bug with the Libcloud SSL verification code. Code was too strict and
didn't allow "-" character in the sub-domain when using a wildcard certificate.
Note: This is NOT a security vulnerability.
Modified:
libcloud/trunk/libcloud/httplib_ssl.py
libcloud/trunk/libcloud/test/test_httplib_ssl.py
Modified: libcloud/trunk/libcloud/httplib_ssl.py
URL: http://svn.apache.org/viewvc/libcloud/trunk/libcloud/httplib_ssl.py?rev=1383122&r1=1383121&r2=1383122&view=diff
==============================================================================
--- libcloud/trunk/libcloud/httplib_ssl.py (original)
+++ libcloud/trunk/libcloud/httplib_ssl.py Mon Sep 10 21:53:40 2012
@@ -121,9 +121,10 @@ class LibcloudHTTPSConnection(httplib.HT
# replace * with alphanumeric and dash
# replace . with literal .
+ # http://www.dns.net/dnsrd/trick.html#legal-hostnames
valid_patterns = [
re.compile('^' + pattern.replace(r".", r"\.") \
- .replace(r"*", r"[0-9A-Za-z]+") + '$')
+ .replace(r"*", r"[0-9A-Za-z\-]+") + '$')
for pattern in (set(common_name) | set(alt_names))]
return any(
Modified: libcloud/trunk/libcloud/test/test_httplib_ssl.py
URL: http://svn.apache.org/viewvc/libcloud/trunk/libcloud/test/test_httplib_ssl.py?rev=1383122&r1=1383121&r2=1383122&view=diff
==============================================================================
--- libcloud/trunk/libcloud/test/test_httplib_ssl.py (original)
+++ libcloud/trunk/libcloud/test/test_httplib_ssl.py Mon Sep 10 21:53:40 2012
@@ -53,6 +53,14 @@ class TestHttpLibSSLTests(unittest.TestC
(('organizationalUnitName', 'SSL'),),
(('commonName', 'python.org'),))}
+ cert4 = {'notAfter': 'Feb 16 16:54:50 2013 GMT',
+ 'subject': ((('countryName', 'US'),),
+ (('stateOrProvinceName', 'Delaware'),),
+ (('localityName', 'Wilmington'),),
+ (('organizationName', 'Python Software Foundation'),),
+ (('organizationalUnitName', 'SSL'),),
+ (('commonName', '*.api.joyentcloud.com'),))}
+
self.assertFalse(self.httplib_object._verify_hostname(
hostname='invalid', cert=cert1))
self.assertFalse(self.httplib_object._verify_hostname(
@@ -88,6 +96,11 @@ class TestHttpLibSSLTests(unittest.TestC
self.assertFalse(self.httplib_object._verify_hostname(
hostname='ython.org', cert=cert3))
+ self.assertTrue(self.httplib_object._verify_hostname(
+ hostname='us-east-1.api.joyentcloud.com', cert=cert4))
+ self.assertTrue(self.httplib_object._verify_hostname(
+ hostname='useast-1.api.joyentcloud.com', cert=cert4))
+
def test_get_subject_alt_names(self):
cert1 = {'notAfter': 'Feb 16 16:54:50 2013 GMT',
'subject': ((('countryName', 'US'),),