remove HTTPSConnection's check_hostname parameter (#22959)
This commit is contained in:
parent
fd0c92fe07
commit
227f6e0dc5
|
@ -70,7 +70,7 @@ The module provides the following classes:
|
|||
*source_address* was added.
|
||||
|
||||
|
||||
.. class:: HTTPSConnection(host[, port[, key_file[, cert_file[, strict[, timeout[, source_address, context, check_hostname]]]]]])
|
||||
.. class:: HTTPSConnection(host[, port[, key_file[, cert_file[, strict[, timeout[, source_address[, context]]]]]]])
|
||||
|
||||
A subclass of :class:`HTTPConnection` that uses SSL for communication with
|
||||
secure servers. Default port is ``443``. If *context* is specified, it must
|
||||
|
@ -83,13 +83,6 @@ The module provides the following classes:
|
|||
|
||||
Please read :ref:`ssl-security` for more information on best practices.
|
||||
|
||||
.. note::
|
||||
If *context* is specified and has a :attr:`~ssl.SSLContext.verify_mode`
|
||||
of either :data:`~ssl.CERT_OPTIONAL` or :data:`~ssl.CERT_REQUIRED`, then
|
||||
by default *host* is matched against the host name(s) allowed by the
|
||||
server's certificate. If you want to change that behaviour, you can
|
||||
explicitly set *check_hostname* to False.
|
||||
|
||||
.. versionadded:: 2.0
|
||||
|
||||
.. versionchanged:: 2.6
|
||||
|
@ -99,7 +92,7 @@ The module provides the following classes:
|
|||
*source_address* was added.
|
||||
|
||||
.. versionchanged:: 2.7.9
|
||||
*context* and *check_hostname* was added.
|
||||
*context* was added.
|
||||
|
||||
This class now performs all the necessary certificate and hostname checks
|
||||
by default. To revert to the previous, unverified, behavior
|
||||
|
|
|
@ -1187,23 +1187,16 @@ else:
|
|||
|
||||
def __init__(self, host, port=None, key_file=None, cert_file=None,
|
||||
strict=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
|
||||
source_address=None, context=None, check_hostname=None):
|
||||
source_address=None, context=None):
|
||||
HTTPConnection.__init__(self, host, port, strict, timeout,
|
||||
source_address)
|
||||
self.key_file = key_file
|
||||
self.cert_file = cert_file
|
||||
if context is None:
|
||||
context = ssl._create_default_https_context()
|
||||
will_verify = context.verify_mode != ssl.CERT_NONE
|
||||
if check_hostname is None:
|
||||
check_hostname = will_verify
|
||||
elif check_hostname and not will_verify:
|
||||
raise ValueError("check_hostname needs a SSL context with "
|
||||
"either CERT_OPTIONAL or CERT_REQUIRED")
|
||||
if key_file or cert_file:
|
||||
context.load_cert_chain(cert_file, key_file)
|
||||
self._context = context
|
||||
self._check_hostname = check_hostname
|
||||
|
||||
def connect(self):
|
||||
"Connect to a host on a given (SSL) port."
|
||||
|
@ -1217,13 +1210,6 @@ else:
|
|||
|
||||
self.sock = self._context.wrap_socket(self.sock,
|
||||
server_hostname=server_hostname)
|
||||
if not self._context.check_hostname and self._check_hostname:
|
||||
try:
|
||||
ssl.match_hostname(self.sock.getpeercert(), server_hostname)
|
||||
except Exception:
|
||||
self.sock.shutdown(socket.SHUT_RDWR)
|
||||
self.sock.close()
|
||||
raise
|
||||
|
||||
__all__.append("HTTPSConnection")
|
||||
|
||||
|
|
|
@ -1,2 +0,0 @@
|
|||
This empty directory serves as destination for temporary files
|
||||
created by some tests.
|
|
@ -616,18 +616,15 @@ class HTTPSTest(TestCase):
|
|||
server = self.make_server(CERT_fakehostname)
|
||||
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
|
||||
context.verify_mode = ssl.CERT_REQUIRED
|
||||
context.check_hostname = True
|
||||
context.load_verify_locations(CERT_fakehostname)
|
||||
h = httplib.HTTPSConnection('localhost', server.port, context=context)
|
||||
with self.assertRaises(ssl.CertificateError):
|
||||
h.request('GET', '/')
|
||||
# Same with explicit check_hostname=True
|
||||
h = httplib.HTTPSConnection('localhost', server.port, context=context,
|
||||
check_hostname=True)
|
||||
with self.assertRaises(ssl.CertificateError):
|
||||
h.request('GET', '/')
|
||||
# With check_hostname=False, the mismatching is ignored
|
||||
h = httplib.HTTPSConnection('localhost', server.port, context=context,
|
||||
check_hostname=False)
|
||||
h.close()
|
||||
# With context.check_hostname=False, the mismatching is ignored
|
||||
context.check_hostname = False
|
||||
h = httplib.HTTPSConnection('localhost', server.port, context=context)
|
||||
h.request('GET', '/nonexistent')
|
||||
resp = h.getresponse()
|
||||
self.assertEqual(resp.status, 404)
|
||||
|
|
|
@ -139,10 +139,10 @@ def urlopen(url, data=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
|
|||
)
|
||||
if not _have_ssl:
|
||||
raise ValueError('SSL support not available')
|
||||
context = ssl._create_stdlib_context(cert_reqs=ssl.CERT_REQUIRED,
|
||||
context = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH,
|
||||
cafile=cafile,
|
||||
capath=capath)
|
||||
https_handler = HTTPSHandler(context=context, check_hostname=True)
|
||||
https_handler = HTTPSHandler(context=context)
|
||||
opener = build_opener(https_handler)
|
||||
elif context:
|
||||
https_handler = HTTPSHandler(context=context)
|
||||
|
@ -1231,14 +1231,13 @@ class HTTPHandler(AbstractHTTPHandler):
|
|||
if hasattr(httplib, 'HTTPS'):
|
||||
class HTTPSHandler(AbstractHTTPHandler):
|
||||
|
||||
def __init__(self, debuglevel=0, context=None, check_hostname=None):
|
||||
def __init__(self, debuglevel=0, context=None):
|
||||
AbstractHTTPHandler.__init__(self, debuglevel)
|
||||
self._context = context
|
||||
self._check_hostname = check_hostname
|
||||
|
||||
def https_open(self, req):
|
||||
return self.do_open(httplib.HTTPSConnection, req,
|
||||
context=self._context, check_hostname=self._check_hostname)
|
||||
context=self._context)
|
||||
|
||||
https_request = AbstractHTTPHandler.do_request_
|
||||
|
||||
|
|
|
@ -10,6 +10,9 @@ What's New in Python 2.7.9?
|
|||
Library
|
||||
-------
|
||||
|
||||
- Issue #22959: Remove the *check_hostname* parameter of
|
||||
httplib.HTTPSConnection. The *context* parameter should be used instead.
|
||||
|
||||
- Issue #16043: Add a default limit for the amount of data xmlrpclib.gzip_decode
|
||||
will return. This resolves CVE-2013-1753.
|
||||
|
||||
|
|
Loading…
Reference in New Issue