Dima Tisnek added the comment:
re: cert_paths = [...]
This approach is rather problematic, there's no guarantee that a path trusted
on one system is trusted on another.
I saw this in setuptools branch, where it does:
for path in cert_path:
if os.path.exists(path)
return path
Let's say you're user1 on osx and your native true path is
"/System/Library/OpenSSL/certs/cert.pem", can you guarantee that someone else,
user2, cannot sneak their hacked files into "/etc/pki/" (presumably missing
altogether) or "/usr/local/share/"?
Because if user2 can do that, suddenly user1 verifies all traffic against
hacked ca list.
----------
nosy: +Dima.Tisnek
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue13655>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
