Skip to content
Browse files

use HTTPS URLs instead of HTTP

Unfortunately urllib2 does not validate certificates, so this will not
prevent MITM attacks.
  • Loading branch information...
1 parent d8d88da commit 1c8e58a7898779fc7c19230598227fd529243ca9 @astraw committed
Showing with 9 additions and 3 deletions.
  1. +9 −3 stdeb/downloader.py
View
12 stdeb/downloader.py
@@ -10,9 +10,9 @@ def myprint(mystr,fd=None):
else:
print >> fd, mystr
-USER_AGENT = 'pypi-install/0.6.0+git ( http://github.com/astraw/stdeb )'
+USER_AGENT = 'pypi-install/0.6.0+git ( https://github.com/astraw/stdeb )'
-def find_tar_gz(package_name, pypi_url = 'http://python.org/pypi',verbose=0):
+def find_tar_gz(package_name, pypi_url = 'https://python.org/pypi',verbose=0):
transport = xmlrpclib.Transport()
transport.user_agent = USER_AGENT
pypi = xmlrpclib.ServerProxy(pypi_url, transport=transport)
@@ -52,9 +52,15 @@ def find_tar_gz(package_name, pypi_url = 'http://python.org/pypi',verbose=0):
raise ValueError('no package "%s" was found'%package_name)
return download_url, expected_md5_digest
-def get_source_tarball(package_name,verbose=0):
+def get_source_tarball(package_name,verbose=0,allow_unsafe_download=False):
download_url, expected_md5_digest = find_tar_gz(package_name,
verbose=verbose)
+ if not download_url.startswith('https://'):
+ if allow_unsafe_download:
+ warnings.warn('downloading from unsafe url: %s' % download_url)
+ else:
+ raise ValueError('PYPI returned unsafe url: %s' % download_url)
+
fname = download_url.split('/')[-1]
if expected_md5_digest is not None:
if os.path.exists(fname):

0 comments on commit 1c8e58a

Please sign in to comment.
Something went wrong with that request. Please try again.