Message204649
| Author |
Dima.Tisnek |
| Recipients |
Arfrever, Dima.Tisnek, barry, benjamin.peterson, christian.heimes, dstufft, eric.araujo, fweimer, icordasc, jcea, lnussel, loewis, naif, pitrou |
| Date |
2013年11月28日.13:08:09 |
| SpamBayes Score |
-1.0 |
| Marked as misclassified |
Yes |
| Message-id |
<1385644091.52.0.0091104416292.issue13655@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
re: cert_paths = [...]
This approach is rather problematic, there's no guarantee that a path trusted on one system is trusted on another.
I saw this in setuptools branch, where it does:
for path in cert_path:
if os.path.exists(path)
return path
Let's say you're user1 on osx and your native true path is "/System/Library/OpenSSL/certs/cert.pem", can you guarantee that someone else, user2, cannot sneak their hacked files into "/etc/pki/" (presumably missing altogether) or "/usr/local/share/"?
Because if user2 can do that, suddenly user1 verifies all traffic against hacked ca list. |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2013年11月28日 13:08:11 | Dima.Tisnek | set | recipients:
+ Dima.Tisnek, loewis, barry, jcea, pitrou, christian.heimes, benjamin.peterson, eric.araujo, Arfrever, naif, icordasc, dstufft, fweimer, lnussel |
| 2013年11月28日 13:08:11 | Dima.Tisnek | set | messageid: <1385644091.52.0.0091104416292.issue13655@psf.upfronthosting.co.za> |
| 2013年11月28日 13:08:11 | Dima.Tisnek | link | issue13655 messages |
| 2013年11月28日 13:08:09 | Dima.Tisnek | create |
|