[web] Security: verify HTTPS connections

Willie now verifies HTTPS connections when calling HTTPS-enabled web APIs. It will use ca_certs from the config file, and fallback to /etc/pki/tls/certs/ca-bundle.crt if ca_certs is missing from config. Verification of hostnames is done using backports.ssl_match_hostname. This package is now mandatory to use willie.web, and is the most secure and forward-compatible way (it's not needed in Python 3) to do hostname validation. Module authors specify verify_ssl = False in all web.py helper functions, if they wish to disable https verification functionality. Also change youtube.py to use gdata API over https, for easier testing of this functionality. Fixes sopel-irc#456
maxpowa · Feb 20, 2014 · 6aa49ad · 6aa49ad
1 parent 5b808bf
commit 6aa49ad
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/youtube.py b/youtube.py
@@ -126,7 +126,7 @@ def ytsearch(bot, trigger):
     #modified from ytinfo: Copyright 2010-2011, Michael Yanovich, yanovich.net, Kenneth Sham.
     if not trigger.group(2):
         return
-    uri = 'http://gdata.youtube.com/feeds/api/videos?v=2&alt=json&max-results=1&q=' + trigger.group(2).encode('utf-8')
+    uri = 'https://gdata.youtube.com/feeds/api/videos?v=2&alt=json&max-results=1&q=' + trigger.group(2).encode('utf-8')
     uri = uri.replace(' ', '+')
     video_info = ytget(bot, trigger, uri)
 
@@ -153,7 +153,7 @@ def ytinfo(bot, trigger, found_match=None):
     """
     match = found_match or trigger
     #Grab info from YT API
-    uri = 'http://gdata.youtube.com/feeds/api/videos/' + match.group(2) + '?v=2&alt=json'
+    uri = 'https://gdata.youtube.com/feeds/api/videos/' + match.group(2) + '?v=2&alt=json'
 
     video_info = ytget(bot, trigger, uri)
     if video_info is 'err':