No check of host certificate #42

cym13 · 2017-04-16T22:30:37Z

All calls with request.get have disabled certificate verification. This puts the user in danger of a man in the middle.

While the information in those pages isn't private this opens the door to modification of the results. Those results are then printed on screen.

One possible attack scenario is to inject terminal control characters. Some terminal emulators allow things like writing a log to a file through control characters. This could therefore lead to remote code execution.

I see no good reason to disable those security features and recommend turning them on.

gautamkrishnar · 2017-04-17T16:34:24Z

Thanks... 👍 Yes SSL must be enabled...

gautamkrishnar · 2017-04-17T16:47:01Z

Instructions to fix the issue

Comment in this issue if you are interested 👍
Find all lines containing:

requests.get(soqurl + query, verify=False)

Change it to:

requests.get(soqurl + query)

Submit a new Pull request ⭐️

gautamkrishnar added enhancement first-timers-only help wanted labels Apr 17, 2017

liamhawkins mentioned this issue Apr 17, 2017

Verify certificates during request.get() #44

Merged

gautamkrishnar closed this as completed in #44 Apr 17, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

No check of host certificate #42

No check of host certificate #42

cym13 commented Apr 16, 2017

gautamkrishnar commented Apr 17, 2017

gautamkrishnar commented Apr 17, 2017 •

edited

Loading

No check of host certificate #42

No check of host certificate #42

Comments

cym13 commented Apr 16, 2017

gautamkrishnar commented Apr 17, 2017

gautamkrishnar commented Apr 17, 2017 • edited Loading

Instructions to fix the issue

gautamkrishnar commented Apr 17, 2017 •

edited

Loading