Browse files

Improve security when downloading from pypi

  • Loading branch information...
1 parent 9c6cbcc commit ffadb0bcdef1e385884571670210cfd6ba351784 Guillaume Gauvrit committed Feb 6, 2013
Showing with 3,472 additions and 3 deletions.
  1. +1 −1 MANIFEST.in
  2. +6 −1 pyshop/helpers/download.py
  3. +3,460 −0 pyshop/helpers/pypi.pem
  4. +5 −1 pyshop/views/repository.py
View
2 MANIFEST.in
@@ -1,2 +1,2 @@
include *.txt *.ini *.cfg *.rst
-recursive-include pyshop *.ico *.png *.css *.scss *.txt *.js *.html *.pot *.po
+recursive-include pyshop *.ico *.png *.css *.scss *.txt *.js *.html *.pot *.po *.pem
View
7 pyshop/helpers/download.py
@@ -33,7 +33,12 @@ def __call__(self, value, system):
if not os.path.exists(dir_):
os.makedirs(dir_, 0750)
- resp = requests.get(value['url'])
+ if value['url'].startswith('https://pypi.python.org'):
+ verify = os.path.join(os.path.dirname(__file__), 'pypi.pem')
+ else:
+ verify = value['url'].startswith('https:')
+
+ resp = requests.get(value['url'], verify=verify)
with open(f, 'wb') as rf:
rf.write(resp.content)
return resp.content
View
3,460 pyshop/helpers/pypi.pem
3,460 additions, 0 deletions not shown because the diff is too large. Please use a local Git client to view these changes.
View
6 pyshop/views/repository.py
@@ -6,8 +6,12 @@ def get_release_file(root, request):
session = DBSession()
f = ReleaseFile.by_id(session, int(request.matchdict['file_id']))
+ url = f.url
+ if url.startswith('http://pypi.python.org'):
+ url = 'https' + url[4:]
+
rv = {'id': f.id,
- 'url': f.url,
+ 'url': url,
'filename': f.filename,
}
f.downloads += 1

0 comments on commit ffadb0b

Please sign in to comment.