31 Jul
2015
31 Jul
'15
6 a.m.
On Fri, Jul 31, 2015 at 09:42:16AM +0100, Daniel P. Berrange wrote:
On Fri, Jul 31, 2015 at 09:15:13AM +0200, Guido Günther wrote:
On Thu, Jul 23, 2015 at 03:57:27PM +0000, Eren Yagdiran wrote: [..snip..]
+def get_url(server, path, headers): + url = "https://" + server + path + debug(" Fetching %s..." % url) + + req = urllib2.Request(url=url)
This does not seem to do any certificate validation (just in case this ends up in a distro's /usr/bin/ I can already see the CVE forthcoming).
IIUC, with latest python2/3 urllib2 will now do certificate validation by default for https urls.
Ahh...since last November. Thanks for pointing this out! Should we then at least check if python is recent enough? Cheers, -- Guido