-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(PUP-6413) Use https when talking to pypi #5024
Conversation
@nibalizer woot, thanks! Seems simple enough 👍, I think we should be able to review this soon |
As a workaround, we can use the 'openstack_pip' provider here http://git.openstack.org/cgit/openstack-infra/puppet-pip/tree/ |
@nibalizer ah, there are a few instances of |
+1 on this pull request. |
CLA signed by all contributors. |
+1 We need this ASAP on 3.x and 4.x |
We really shouldn't use this code any more. But we are using it. Pypi changed behaviour today because of vulnerabilities in urrlib, which is used by pip. http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html Pypi changed to denying http requests entirely instead of redirecting to https when the Content-Type is text/xml and the Accept is application/xml Example: root@derpderp:~# curl -L -H "Accept: application/xml" -H "Content-Type: text/xml" -X POST "http://pypi.python.org/pypi/" Forbidden Must access using HTTPS instead of HTTP Without this patch: root@derpderp:~# cat foo.pp package { 'diskimage-builder': ensure => latest, provider => pip, } root@derpderp:~# puppet apply foo.pp Warning: Setting templatedir is deprecated. See http://links.puppetlabs.com/env-settings-deprecations (at /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1139:in `issue_deprecation_warning') Notice: Compiled catalog for derpderp in environment production in 0.14 seconds Error: Could not get latest version: HTTP-Error: 403 Must access using HTTPS instead of HTTP Error: /Stage[main]/Main/Package[diskimage-builder]/ensure: change from 1.17.0 to latest failed: Could not get latest version: HTTP-Error: 403 Must access using HTTPS instead of HTTP Notice: Finished catalog run in 0.67 seconds So this breaks any puppet 3.x using the default pip provider. With this patch, it just works.
@whopper updated. |
Can we expect a new 3.x release soon? |
See also [PUP-6413](puppetlabs/puppet#5024).
We really shouldn't use this code any more. But we are using it.
Pypi changed behaviour today because of vulnerabilities in urrlib, which
is used by pip.
http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
Pypi changed to denying http requests entirely instead of redirecting to
https. (I guess? I don't really understand)
Without this patch:
root@derpderp:~# cat foo.pp
package { 'diskimage-builder':
ensure => latest,
provider => pip,
}
root@derpderp:~# puppet apply foo.pp
Warning: Setting templatedir is deprecated. See http://links.puppetlabs.com/env-settings-deprecations
(at /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1139:in `issue_deprecation_warning')
Notice: Compiled catalog for derpderp in environment production in 0.14 seconds
Error: Could not get latest version: HTTP-Error: 403 Must access using HTTPS instead of HTTP
Error: /Stage[main]/Main/Package[diskimage-builder]/ensure: change from 1.17.0 to latest failed: Could not get latest version: HTTP-Error: 403 Must access using HTTPS instead of HTTP
Notice: Finished catalog run in 0.67 seconds
So this breaks any puppet 3.x using the default pip provider.
With this patch, it just works.