Mercurial > hg-stable
view tests/test-non-interactive-wsgi @ 12592:f2937d6492c5 stable
url: verify correctness of https server certificates (issue2407)
Pythons SSL module verifies that certificates received for HTTPS are valid
according to the specified cacerts, but it doesn't verify that the certificate
is for the host we connect to.
We now explicitly verify that the commonName in the received certificate
matches the requested hostname and is valid for the time being.
This is a minimal patch where we try to fail to the safe side, but we do still
rely on Python's SSL functionality and do not try to implement the standards
fully and correctly. CRLs and subjectAltName are not handled and proxies
haven't been considered.
This change might break connections to some sites if cacerts is specified and
the certificates (by our definition) isn't correct. The workaround is to
disable cacerts which in most cases isn't much worse than it was before with
cacerts.
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Fri, 01 Oct 2010 00:46:59 +0200 |
parents | 38864218c4cc |
children |
line wrap: on
line source
#!/bin/sh # Tests if hgweb can run without touching sys.stdin, as is required # by the WSGI standard and strictly implemented by mod_wsgi. mkdir repo cd repo hg init echo foo > bar hg add bar hg commit -m "test" hg tip cat > request.py <<EOF from mercurial import dispatch from mercurial.hgweb.hgweb_mod import hgweb from mercurial.ui import ui from mercurial import hg from StringIO import StringIO import os, sys class FileLike(object): def __init__(self, real): self.real = real def fileno(self): print >> sys.__stdout__, 'FILENO' return self.real.fileno() def read(self): print >> sys.__stdout__, 'READ' return self.real.read() def readline(self): print >> sys.__stdout__, 'READLINE' return self.real.readline() sys.stdin = FileLike(sys.stdin) errors = StringIO() input = StringIO() output = StringIO() def startrsp(headers, data): print '---- HEADERS' print headers print '---- DATA' print data return output.write env = { 'wsgi.version': (1, 0), 'wsgi.url_scheme': 'http', 'wsgi.errors': errors, 'wsgi.input': input, 'wsgi.multithread': False, 'wsgi.multiprocess': False, 'wsgi.run_once': False, 'REQUEST_METHOD': 'GET', 'SCRIPT_NAME': '', 'PATH_INFO': '', 'QUERY_STRING': '', 'SERVER_NAME': '127.0.0.1', 'SERVER_PORT': os.environ['HGPORT'], 'SERVER_PROTOCOL': 'HTTP/1.0' } i = hgweb('.') i(env, startrsp) print '---- ERRORS' print errors.getvalue() print '---- OS.ENVIRON wsgi variables' print sorted([x for x in os.environ if x.startswith('wsgi')]) print '---- request.ENVIRON wsgi variables' print sorted([x for x in i.repo.ui.environ if x.startswith('wsgi')]) EOF python request.py