sslutil: synchronize hostname matching logic with CPython
sslutil contains its own hostname matching logic. CPython has code
for the same intent. However, it is only available to Python 2.7.9+
(or distributions that have backported 2.7.9's ssl module
improvements).
This patch effectively imports CPython's hostname matching code
from its ssl.py into sslutil.py. The hostname matching code itself
is pretty similar. However, the DNS name matching code is much more
robust and spec conformant.
As the test changes show, this changes some behavior around
wildcard handling and IDNA matching. The new behavior allows
wildcards in the middle of words (e.g. 'f*.com' matches 'foo.com')
This is spec compliant according to RFC 6125 Section 6.5.3 item 3.
There is one test where the matcher is more strict. Before,
'*.a.com' matched '.a.com'. Now it doesn't match. Strictly speaking
this is a security vulnerability.
$ hg init a
$ cd a
$ echo a > a
$ hg ci -Am0
adding a
$ echo b > b
$ hg ci -Am1
adding b
$ hg tag -r0 default
warning: tag default conflicts with existing branch name
$ hg log
changeset: 2:30a83d1e4a1e
tag: tip
user: test
date: Thu Jan 01 00:00:00 1970 +0000
summary: Added tag default for changeset f7b1eb17ad24
changeset: 1:925d80f479bb
user: test
date: Thu Jan 01 00:00:00 1970 +0000
summary: 1
changeset: 0:f7b1eb17ad24
tag: default
user: test
date: Thu Jan 01 00:00:00 1970 +0000
summary: 0
$ hg update 'tag(default)'
0 files updated, 0 files merged, 2 files removed, 0 files unresolved
$ hg parents
changeset: 0:f7b1eb17ad24
tag: default
user: test
date: Thu Jan 01 00:00:00 1970 +0000
summary: 0
$ hg update 'branch(default)'
2 files updated, 0 files merged, 0 files removed, 0 files unresolved
$ hg parents
changeset: 2:30a83d1e4a1e
tag: tip
user: test
date: Thu Jan 01 00:00:00 1970 +0000
summary: Added tag default for changeset f7b1eb17ad24
$ cd ..