[Bug 1343888] Re: _get_changelog_or_news does not handle Basic auth properly
Brian Murray
brian at ubuntu.com
Tue Mar 26 21:59:40 UTC 2019
In MyCache.py we can see the following which may no longer be true.
246 # https uris are not supported when they contain a username/password
247 # because the urllib2 https implementation will not check certificates
248 # and so its possible to do a man-in-the-middle attack to steal the
249 # credentials
250 res = urlsplit(uri)
251 if res.scheme == "https" and res.username:
252 raise HttpsChangelogsUnsupportedError(
253 "https locations with username/password are not"
254 "supported to fetch changelogs")
** Changed in: update-manager (Ubuntu)
Importance: Undecided => Medium
** Changed in: update-manager (Ubuntu)
Status: New => Triaged
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1343888
Title:
_get_changelog_or_news does not handle Basic auth properly
Status in update-manager package in Ubuntu:
Triaged
Bug description:
_get_changelog_or_news when fetching chengelogs from third-party URLS
that contain username:password does not handle that information
correctly.
urllib2 expects to get the authorization information in a an Opener
object isntead of in the URL. Passing it in the URL leads to it being
passed wrongly, which also is a bug in urllib2.
Here is how to do it the right way (but untested as I do not have
Ubuntu):
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1343888/+subscriptions
More information about the foundations-bugs
mailing list