New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
transifex-client: insufficient CVE-2013-2073 fix #42
Comments
|
@thoger Thanks for bringing it up. Do you think you can help us with a patch? |
|
@diegobz Sorry, I have no ready to use fix that avoids adding extra dependency (which I believe is the reason why proposed fix using requests was not used). Quick search suggests it should be possible to do with custom opener. I found this, but I haven't tested it yet at all: https://gist.github.com/schlamar/2993700 |
|
@thoger The problem with requests is that it uses the Apache license, which is incompatible with GPLv2. We are going to use urllib3, though. A patch should be ready soon. |
|
Handled in 6d69d61 |
|
Can anyone hint an easy way to test the fix? I'm not familiar with Hence I tried this: and the exception I get implies certificate check passed. Server error log shows 404 response was sent. |
|
You are right, it does not. I will get beack to you. |
|
FYI, I tried to make or It seems bundled |
Commit e24ea95 (plus few follow up commits) was added to add verification of HTTPS certificate to avoid MITM attacks. The issue got CVE-2013-2073 assigned.
However, the fix is not really correct. The way it works is:
So the actual data is sent over unverified connections opened by urllib2. MITM attacker should be able to steal all transferred data by allowing "probe" connection opened by verify_ssl to connect to the real transifex server and only intercept subsequent urllib2 connection.
The text was updated successfully, but these errors were encountered: