From 3f6d52e42eb42d7c4f0a9f2da54db341bbfa73ad Mon Sep 17 00:00:00 2001 From: Vinson Lee Date: Sun, 3 Jul 2016 00:18:44 -0700 Subject: [PATCH] pypi.py: Use HTTPS for PyPi. PyPi now requires HTTPS after CVE-2016-5699. http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html This patch fixes this error on Fedora. $ yolk --version Traceback (most recent call last): File "/usr/bin/yolk", line 9, in load_entry_point('yolk==0.4.3', 'console_scripts', 'yolk')() File "/usr/lib/python2.7/site-packages/yolk/cli.py", line 1090, in main my_yolk.run() File "/usr/lib/python2.7/site-packages/yolk/cli.py", line 180, in run self.pypi = CheeseShop(self.options.debug) File "/usr/lib/python2.7/site-packages/yolk/pypi.py", line 109, in __init__ self.get_cache() File "/usr/lib/python2.7/site-packages/yolk/pypi.py", line 127, in get_cache self.fetch_pkg_list() File "/usr/lib/python2.7/site-packages/yolk/pypi.py", line 184, in fetch_pkg_list package_list = self.list_packages() File "/usr/lib/python2.7/site-packages/yolk/pypi.py", line 202, in list_packages return self.xmlrpc.list_packages() File "/usr/lib64/python2.7/xmlrpclib.py", line 1240, in __call__ return self.__send(self.__name, args) File "/usr/lib64/python2.7/xmlrpclib.py", line 1599, in __request verbose=self.__verbose File "/usr/lib/python2.7/site-packages/yolk/pypi.py", line 64, in request fhandle = opener.open(request) File "/usr/lib64/python2.7/urllib2.py", line 437, in open response = meth(req, response) File "/usr/lib64/python2.7/urllib2.py", line 550, in http_response 'http', request, response, code, msg, hdrs) File "/usr/lib64/python2.7/urllib2.py", line 475, in error return self._call_chain(*args) File "/usr/lib64/python2.7/urllib2.py", line 409, in _call_chain result = func(*args) File "/usr/lib64/python2.7/urllib2.py", line 558, in http_error_default raise HTTPError(req.get_full_url(), code, msg, hdrs, fp) urllib2.HTTPError: HTTP Error 403: Must access using HTTPS instead of HTTP Signed-off-by: Vinson Lee --- yolk/pypi.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yolk/pypi.py b/yolk/pypi.py index 3ba3ba0..3058775 100644 --- a/yolk/pypi.py +++ b/yolk/pypi.py @@ -80,7 +80,7 @@ def request(self, host, handler, request_body, verbose): '''Send xml-rpc request using proxy''' #We get a traceback if we don't have this attribute: self.verbose = verbose - url = 'http://' + host + handler + url = 'https://' + host + handler request = urllib2.Request(url) request.add_data(request_body) # Note: 'Host' and 'Content-Length' are added automatically