Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(PUP-6413) Use https when talking to pypi #5024

Merged
merged 1 commit into from
Jun 16, 2016
Merged

(PUP-6413) Use https when talking to pypi #5024

merged 1 commit into from
Jun 16, 2016

Conversation

nibalizer
Copy link
Contributor

We really shouldn't use this code any more. But we are using it.
Pypi changed behaviour today because of vulnerabilities in urrlib, which
is used by pip.

http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html

Pypi changed to denying http requests entirely instead of redirecting to
https. (I guess? I don't really understand)

Without this patch:

root@derpderp:~# cat foo.pp
package { 'diskimage-builder':
ensure => latest,
provider => pip,
}

root@derpderp:~# puppet apply foo.pp
Warning: Setting templatedir is deprecated. See http://links.puppetlabs.com/env-settings-deprecations
(at /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1139:in `issue_deprecation_warning')
Notice: Compiled catalog for derpderp in environment production in 0.14 seconds
Error: Could not get latest version: HTTP-Error: 403 Must access using HTTPS instead of HTTP
Error: /Stage[main]/Main/Package[diskimage-builder]/ensure: change from 1.17.0 to latest failed: Could not get latest version: HTTP-Error: 403 Must access using HTTPS instead of HTTP
Notice: Finished catalog run in 0.67 seconds

So this breaks any puppet 3.x using the default pip provider.

With this patch, it just works.

@whopper
Copy link
Contributor

whopper commented Jun 15, 2016

@nibalizer woot, thanks! Seems simple enough 👍, I think we should be able to review this soon

@whopper whopper changed the title Use https when talking to pypi (PUP-6413) Use https when talking to pypi Jun 15, 2016
@nibalizer
Copy link
Contributor Author

As a workaround, we can use the 'openstack_pip' provider here http://git.openstack.org/cgit/openstack-infra/puppet-pip/tree/

@whopper
Copy link
Contributor

whopper commented Jun 15, 2016

@nibalizer ah, there are a few instances of http://pypi in spec/unit/provider/package/pip_spec.rb, lines 123 and 148. If you make those https the tests should pass.

@joshuaspence
Copy link
Contributor

+1 on this pull request.

@puppetcla
Copy link

CLA signed by all contributors.

@Poil
Copy link

Poil commented Jun 16, 2016

+1 We need this ASAP on 3.x and 4.x

@nibalizer
(PUP-6413) Use https when talking to pypi
2bc6b6e 
We really shouldn't use this code any more. But we are using it.
Pypi changed behaviour today because of vulnerabilities in urrlib, which
is used by pip.

http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html

Pypi changed to denying http requests entirely instead of redirecting to
https when the Content-Type is text/xml and the Accept is application/xml

Example:

root@derpderp:~# curl -L -H "Accept: application/xml" -H "Content-Type: text/xml" -X POST  "http://pypi.python.org/pypi/"
Forbidden

Must access using HTTPS instead of HTTP

Without this patch:

root@derpderp:~# cat foo.pp
    package { 'diskimage-builder':
      ensure   => latest,
      provider => pip,
   }

root@derpderp:~# puppet apply foo.pp
Warning: Setting templatedir is deprecated. See http://links.puppetlabs.com/env-settings-deprecations
   (at /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1139:in `issue_deprecation_warning')
Notice: Compiled catalog for derpderp in environment production in 0.14 seconds
Error: Could not get latest version: HTTP-Error: 403 Must access using HTTPS instead of HTTP
Error: /Stage[main]/Main/Package[diskimage-builder]/ensure: change from 1.17.0 to latest failed: Could not get latest version: HTTP-Error: 403 Must access using HTTPS instead of HTTP
Notice: Finished catalog run in 0.67 seconds

So this breaks any puppet 3.x using the default pip provider.

With this patch, it just works.
@nibalizer
Copy link
Contributor Author

@whopper updated.

@whopper whopper merged commit 858be73 into puppetlabs:3.x Jun 16, 2016
@nibalizer nibalizer deleted the fix_pip branch June 16, 2016 18:05
@joshuaspence
Copy link
Contributor

Can we expect a new 3.x release soon?

mattj-io pushed a commit to datacentred/puppet that referenced this pull request Jul 4, 2016
Revert switch to pip due to puppetlabs/puppet#5024
578f627
@mattj-io mattj-io mentioned this pull request Jul 4, 2016
Merged
l0b0 added a commit to l0b0/root that referenced this pull request Oct 8, 2016
@l0b0
Install a specific version of vCard Validator
7bc15a8 
Works around <puppetlabs/puppet#5024>.
esycat added a commit to esycat/puppet-pip that referenced this pull request Jan 2, 2018
@esycat
Use HTTPS to communicate with PyPI
8dfb06a 
See also [PUP-6413](puppetlabs/puppet#5024).
@esycat esycat mentioned this pull request Jan 2, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@nibalizer @whopper @joshuaspence @puppetcla @Poil