Antoine Pitrou added the comment: > In my tests, I used a host name like > aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.example.org, and a dNSName > like a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*.example.org. > Quadratic behavior wouldn't be too bad because the host name is > necessarily rather short (more than 255 characters will not pass > through DNS).
Hmm, but the host name doesn't necessarily come from DNS, does it? ---------- title: CVE-2013-2099 ssl.match_hostname() trips over crafted wildcard names -> CVE-2013-2099 ssl.match_hostname() trips over crafted wildcard names _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue17980> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
