[Python-checkins] cpython: Issue #14780: urllib.request.urlopen() now has a `cadefault` argument to use

antoine.pitrou python-checkins at python.org
Wed May 16 21:44:39 CEST 2012

• Previous message: [Python-checkins] cpython: Issue #14779: Get sizeof(void *) directly rather than relying on sysconfig.
• Next message: [Python-checkins] peps: Minor cleanup to match history.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

http://hg.python.org/cpython/rev/f2ed5de1c568
changeset: 77007:f2ed5de1c568
user: Antoine Pitrou <solipsis at pitrou.net>
date: Wed May 16 21:40:01 2012 +0200
summary:
 Issue #14780: urllib.request.urlopen() now has a `cadefault` argument to use the default certificate store.
Initial patch by James Oakley.
files:
 Doc/library/urllib.request.rst | 15 ++++++++++++---
 Lib/test/test_urllib2_localnet.py | 7 +++++++
 Lib/urllib/request.py | 11 +++++++----
 Misc/ACKS | 1 +
 Misc/NEWS | 3 +++
 5 files changed, 30 insertions(+), 7 deletions(-)
diff --git a/Doc/library/urllib.request.rst b/Doc/library/urllib.request.rst
--- a/Doc/library/urllib.request.rst
+++ b/Doc/library/urllib.request.rst
@@ -16,7 +16,7 @@
 The :mod:`urllib.request` module defines the following functions:
 
 
-.. function:: urlopen(url, data=None[, timeout], *, cafile=None, capath=None)
+.. function:: urlopen(url, data=None[, timeout], *, cafile=None, capath=None, cadefault=True)
 
 Open the URL *url*, which can be either a string or a
 :class:`Request` object.
@@ -53,9 +53,15 @@
 point to a directory of hashed certificate files. More information can
 be found in :meth:`ssl.SSLContext.load_verify_locations`.
 
+ The *cadefault* parameter specifies whether to fall back to loading a
+ default certificate store defined by the underlying OpenSSL library if the
+ *cafile* and *capath* parameters are omitted. This will only work on
+ some non-Windows platforms.
+
 .. warning::
- If neither *cafile* nor *capath* is specified, an HTTPS request
- will not do any verification of the server's certificate.
+ If neither *cafile* nor *capath* is specified, and *cadefault* is False,
+ an HTTPS request will not do any verification of the server's
+ certificate.
 
 This function returns a file-like object that works as a :term:`context manager`,
 with two additional methods from the :mod:`urllib.response` module
@@ -92,6 +98,9 @@
 .. versionadded:: 3.2
 *data* can be an iterable object.
 
+ .. versionchanged:: 3.3
+ *cadefault* was added.
+
 .. function:: install_opener(opener)
 
 Install an :class:`OpenerDirector` instance as the default global opener.
diff --git a/Lib/test/test_urllib2_localnet.py b/Lib/test/test_urllib2_localnet.py
--- a/Lib/test/test_urllib2_localnet.py
+++ b/Lib/test/test_urllib2_localnet.py
@@ -474,6 +474,13 @@
 self.urlopen("https://localhost:%s/bizarre" % handler.port,
 cafile=CERT_fakehostname)
 
+ def test_https_with_cadefault(self):
+ handler = self.start_https_server(certfile=CERT_localhost)
+ # Self-signed cert should fail verification with system certificate store
+ with self.assertRaises(urllib.error.URLError) as cm:
+ self.urlopen("https://localhost:%s/bizarre" % handler.port,
+ cadefault=True)
+
 def test_sending_headers(self):
 handler = self.start_server()
 req = urllib.request.Request("http://localhost:%s/" % handler.port,
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -135,16 +135,19 @@
 
 _opener = None
 def urlopen(url, data=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
- *, cafile=None, capath=None):
+ *, cafile=None, capath=None, cadefault=False):
 global _opener
- if cafile or capath:
+ if cafile or capath or cadefault:
 if not _have_ssl:
 raise ValueError('SSL support not available')
 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
 context.options |= ssl.OP_NO_SSLv2
- if cafile or capath:
+ if cafile or capath or cadefault:
 context.verify_mode = ssl.CERT_REQUIRED
- context.load_verify_locations(cafile, capath)
+ if cafile or capath:
+ context.load_verify_locations(cafile, capath)
+ else:
+ context.set_default_verify_paths()
 check_hostname = True
 else:
 check_hostname = False
diff --git a/Misc/ACKS b/Misc/ACKS
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -746,6 +746,7 @@
 John O'Connor
 Kevin O'Connor
 Tim O'Malley
+James Oakley
 Jon Oberheide
 Pascal Oberndoerfer
 Jeffrey Ollie
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -34,6 +34,9 @@
 Library
 -------
 
+- Issue #14780: urllib.request.urlopen() now has a ``cadefault`` argument
+ to use the default certificate store. Initial patch by James Oakley.
+
 - Issue #14829: Fix bisect and range() indexing with large indices
 (>= 2 ** 32) under 64-bit Windows.
 
-- 
Repository URL: http://hg.python.org/cpython

---

• Previous message: [Python-checkins] cpython: Issue #14779: Get sizeof(void *) directly rather than relying on sysconfig.
• Next message: [Python-checkins] peps: Minor cleanup to match history.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Python-checkins mailing list