You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jul 24, 2023. It is now read-only.
HTTPS requests made by this package are vulnerable to MITM attacks when the user does not have pycurl installed, because urllib2 does not verify SSL certificates.
While openid.fetchers also has a fetcher for httplib2, unless explicitly registered it will not be chosen as the default fetcher.
At the very least I feel that this should be documented somewhere, but in my opinion the package should simply add a dependency on a library such as Requests that does SSL verification, and avoid the shenanigans of trying to import various other third-party libraries with fallbacks. If this is not feasible, then the httplib2 should at least be prioritized above urllib2, and perhaps a Requests fetcher should be added as the preferred fetcher.
The text was updated successfully, but these errors were encountered:
HTTPS requests made by this package are vulnerable to MITM attacks when the user does not have pycurl installed, because urllib2 does not verify SSL certificates.
While openid.fetchers also has a fetcher for httplib2, unless explicitly registered it will not be chosen as the default fetcher.
At the very least I feel that this should be documented somewhere, but in my opinion the package should simply add a dependency on a library such as Requests that does SSL verification, and avoid the shenanigans of trying to import various other third-party libraries with fallbacks. If this is not feasible, then the httplib2 should at least be prioritized above urllib2, and perhaps a Requests fetcher should be added as the preferred fetcher.
The text was updated successfully, but these errors were encountered: