From 6aa49ad57e30e9d74ec07f0de827715ea3afcf90 Mon Sep 17 00:00:00 2001 From: Elad Alfassa Date: Thu, 20 Feb 2014 23:45:51 +0200 Subject: [PATCH] [web] Security: verify HTTPS connections Willie now verifies HTTPS connections when calling HTTPS-enabled web APIs. It will use ca_certs from the config file, and fallback to /etc/pki/tls/certs/ca-bundle.crt if ca_certs is missing from config. Verification of hostnames is done using backports.ssl_match_hostname. This package is now mandatory to use willie.web, and is the most secure and forward-compatible way (it's not needed in Python 3) to do hostname validation. Module authors specify verify_ssl = False in all web.py helper functions, if they wish to disable https verification functionality. Also change youtube.py to use gdata API over https, for easier testing of this functionality. Fixes #456 --- youtube.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/youtube.py b/youtube.py index 25366e99db..fa3af09745 100644 --- a/youtube.py +++ b/youtube.py @@ -126,7 +126,7 @@ def ytsearch(bot, trigger): #modified from ytinfo: Copyright 2010-2011, Michael Yanovich, yanovich.net, Kenneth Sham. if not trigger.group(2): return - uri = 'http://gdata.youtube.com/feeds/api/videos?v=2&alt=json&max-results=1&q=' + trigger.group(2).encode('utf-8') + uri = 'https://gdata.youtube.com/feeds/api/videos?v=2&alt=json&max-results=1&q=' + trigger.group(2).encode('utf-8') uri = uri.replace(' ', '+') video_info = ytget(bot, trigger, uri) @@ -153,7 +153,7 @@ def ytinfo(bot, trigger, found_match=None): """ match = found_match or trigger #Grab info from YT API - uri = 'http://gdata.youtube.com/feeds/api/videos/' + match.group(2) + '?v=2&alt=json' + uri = 'https://gdata.youtube.com/feeds/api/videos/' + match.group(2) + '?v=2&alt=json' video_info = ytget(bot, trigger, uri) if video_info is 'err':