Red Hat Bugzilla – Bug 855320
python-requests: Embedded urllib3 does not perform SSL certificates verification by default
Last modified: 2013-04-08 23:48:54 EDT
It was reported that urllib3, a Python HTTP library with thread-safe connection pooling and file post support, did not perform SSL certificates verification by default. A rogue HTTP server could use this flaw to conduct man-in-the-middle (MITM) attacks.
Patch applied by the Ubuntu Linux distribution:
This issue affects the versions of the python-requests package, as shipped with Fedora release of 16 and 17. Please schedule an update.
This issue affects the version of the python-requests package, as shipped with Fedora EPEL 6. Please schedule an update.
Created python-requests tracking bugs for this issue
Affects: fedora-all [bug 855322]
Affects: epel-6 [bug 855323]
Reproducer ( from https://bugs.launchpad.net/ubuntu/+source/python-urllib3/+bug/1047054/comments/0 ):
The following program (based on http://code.google.com/p/urllib3/wiki/Examples) can be easily MITMd:
from urllib3 import HTTPSConnectionPool
http_pool = VerifiedHTTPSConnection('www.google.com')
r = http_pool.urlopen('GET', '/', redirect=False)
print r.status, r.headers.get('location')
r = http_pool.urlopen('GET', '/', redirect=True)
print r.status, len(r.data)
Changing it to use:
http_pool = HTTPSConnectionPool('www.google.com', cert_reqs='CERT_REQUIRED', ca_certs='/etc/ssl/certs/ca-certificates.crt')
Results in urllib3 properly verifying certificates. python-urllib3 should use secure defaults and perform certificate verification unless an application author tells it not to.
Created attachment 610700 [details]
Local copy of the Ubuntu patch
I sent an email to the creator of python-requests couple of days back , here is the response i got from him.
Just sending this for your information , in case you haven't noticed it before. There has been a vulnerability reported in urllib3 library which is embedded in python-requests. I have been asked to fix it and schedule an update. Please check https://bugzilla.redhat.com/show_bug.cgi?id=855320 and http://www.openwall.com/lists/oss-security/2012/09/07/7
This seems like a design decision, not a vulnerability.
Requests performs certificate verification by default.
Any way i will schedule an update using this patch, I will also try remove the bundling of urllib3 if i can.
Not fixed as of 2012-02-04, Fedora 17.
Fixed with python-urllib3-1.5-5 and python-requests-1.1.0-3