pip does not verify SSL certificates
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-pip (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Won't Fix
|
Undecided
|
Unassigned | ||
Precise |
Won't Fix
|
Undecided
|
Unassigned | ||
Quantal |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
pip uses urllib2 to fetch packages, which means that it doesn't do any SSL cert verification.
At some level this is just the cost of urllib2 sucking. I wasn't able to find any prior actions from the security team on urllib2 not doing certificate validation, so I'm naively guessing that it's being accepted as the cost of doing business. But I think it's particularly concerning for pip, since it downloads and installs code onto the system.
I've attached a quickly hacked together patch that overrides httplib.
Marking as embargoed for the time being, though that's possibly a bit silly, so feel free to change if you don't feel it merits an embargo.
(Note that it's also not possible to get pip to download over SSL from pypi - although pypi serves over SSL, its links to the actual code download are over plaintext HTTP. I ran into this while working on Stripe's code hosting site at https:/
CVE References
tags: | added: patch |
Changed in python-pip (Ubuntu): | |
status: | Expired → Confirmed |
Changed in python-pip (Ubuntu Quantal): | |
status: | Confirmed → Won't Fix |
Upstream bug:
https:/ /github. com/pypa/ pip/issues/ 425