McSinyx
/
pip
mirror of https://github.com/pypa/pip
1
1
Fork 0
Code Issues Releases Activity

don't complain about localhost when checking security of index links 

based entirely off of Guy Rozendorn's work in PR #1718
This commit is contained in:
Richard Jones 2014-08-11 14:21:02 +10:00
parent 1605b761c8
commit 704f658c63
2 changed files with 64 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
pip/index.py
View File

@ -23,6 +23,7 @@ from pip._vendor.requests.exceptions import SSLError
__all__ = ['PackageFinder']
LOCAL_HOSTNAMES = ('localhost', '127.0.0.1')
INSECURE_SCHEMES = {
"http": ["https"],
}
@ -185,6 +186,36 @@ class PackageFinder(object):
reverse=True
)
def _warn_about_insecure_transport_scheme(self, logger, location):
# Determine if this url used a secure transport mechanism
parsed = urlparse.urlparse(str(location))
if parsed.scheme in INSECURE_SCHEMES:
secure_schemes = INSECURE_SCHEMES[parsed.scheme]
if parsed.hostname in LOCAL_HOSTNAMES:
# localhost is not a security risk
pass
elif len(secure_schemes) == 1:
ctx = (location, parsed.scheme, secure_schemes[0],
parsed.netloc)
logger.warn("%s uses an insecure transport scheme (%s). "
"Consider using %s if %s has it available" %
ctx)
elif len(secure_schemes) > 1:
ctx = (
location,
parsed.scheme,
", ".join(secure_schemes),
parsed.netloc,
)
logger.warn("%s uses an insecure transport scheme (%s). "
"Consider using one of %s if %s has any of "
"them available" % ctx)
else:
ctx = (location, parsed.scheme)
logger.warn("%s uses an insecure transport scheme (%s)." %
ctx)
def find_requirement(self, req, upgrade):
def mkurl_pypi_url(url):
@ -240,32 +271,7 @@ class PackageFinder(object):
logger.debug('URLs to search for versions for %s:' % req)
for location in locations:
logger.debug('* %s' % location)
# Determine if this url used a secure transport mechanism
parsed = urlparse.urlparse(str(location))
if parsed.scheme in INSECURE_SCHEMES:
secure_schemes = INSECURE_SCHEMES[parsed.scheme]
if len(secure_schemes) == 1:
ctx = (location, parsed.scheme, secure_schemes[0],
parsed.netloc)
logger.warn("%s uses an insecure transport scheme (%s). "
"Consider using %s if %s has it available" %
ctx)
elif len(secure_schemes) > 1:
ctx = (
location,
parsed.scheme,
", ".join(secure_schemes),
parsed.netloc,
)
logger.warn("%s uses an insecure transport scheme (%s). "
"Consider using one of %s if %s has any of "
"them available" % ctx)
else:
ctx = (location, parsed.scheme)
logger.warn("%s uses an insecure transport scheme (%s)." %
ctx)
self._warn_about_insecure_transport_scheme(logger, location)
found_versions = []
found_versions.extend(

32
tests/unit/test_index.py
View File

@ -106,3 +106,35 @@ class TestLink(object):
)
def test_base_url(html, url, expected):
assert HTMLPage(html, url).base_url == expected
class MockLogger(object):
def __init__(self):
self.called = False
def warn(self, *args, **kwargs):
self.called = True
class TestInsecureTransport(object):
def _assert_call_to_logger(self, location, expected_result):
finder = PackageFinder([], [], session=[])
logger = MockLogger()
finder._warn_about_insecure_transport_scheme(logger, location)
assert logger.called == expected_result
def test_pypi_http(self):
location = 'http://pypi.python.org/something'
self._assert_call_to_logger(location, expected_result=True)
def test_pypi_https(self):
location = 'https://pypi.python.org/something'
self._assert_call_to_logger(location, expected_result=False)
def test_localhost_http(self):
location = 'http://localhost'
self._assert_call_to_logger(location, expected_result=False)
def test_localhost_by_ip(self):
location = 'http://127.0.0.1'
self._assert_call_to_logger(location, expected_result=False)