httplib2 icon indicating copy to clipboard operation
httplib2 copied to clipboard
verified publisher icon httplib2

Don't require cacerts.txt to be on disk

Open Colecf opened this issue 1 year ago • 2 comments

Hi,

In the android (AOSP) build system, we build python binaries into single executables that are run without extracting them to disk. httplib2's builtin ca_certs.txt is loaded as such:

BUILTIN_CA_CERTS = os.path.join(
    os.path.dirname(os.path.abspath(__file__)), "cacerts.txt"
)

# later used as:

context.load_verify_locations(ca_certs)

This doesn't work in our python binaries, because __file__ is the path to a file inside of a zip archive. Ideally httplib2 would load the builtin file using importlib.resources and pass it to load_verify_locations using the cadata= parameter.

httplib2 also has the ability to load a ca_certs_locater module to customize the cacerts location, but it expects the get() function to return the path to a file, so even if we were to provide our own locater it would run into similar issues. We could extract a cacerts.txt to disk, but there's no way to know when httplib2 is done with it and the temporary file could be cleaned up.

Colecf avatar Apr 26 '24 00:04 Colecf

Sorry, yes importlib sounds like best option. I'll try to broad API to also accept file-like object or straight single use read() function.

Please let me know of any security concerns against that.

On Fri, 26 Apr 2024, 03:32 Cole Faust, @.***> wrote:

Hi,

In the android (AOSP) build system, we build python binaries into single executables that are run without extracting them to disk. httplib2's builtin ca_certs.txt is loaded as such:

BUILTIN_CA_CERTS = os.path.join( os.path.dirname(os.path.abspath(file)), "cacerts.txt" )

later used as:

context.load_verify_locations(ca_certs)

This doesn't work in our python binaries, because file is the path to a file inside of a zip archive. Ideally httplib2 would load the builtin file using importlib.resources and pass it to load_verify_locations using the cadata= parameter.

httplib2 also has the ability to load a ca_certs_locater module to customize the cacerts location, but it expects the get() function to return the path to a file, so even if we were to provide our own locater it would run into similar issues. We could extract a cacerts.txt to disk, but there's no way to know when httplib2 is done with it and the temporary file could be cleaned up.

— Reply to this email directly, view it on GitHub https://github.com/httplib2/httplib2/issues/241, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAGTMLLAUZIKGEK7YU2HH3Y7GOB7AVCNFSM6AAAAABGZ22J3WVHI2DSMVQWIX3LMV43ASLTON2WKOZSGI3DINZRGUYDQNA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

temoto avatar Apr 26 '24 00:04 temoto

Thanks! I don't think this should change the security concerns.

Colecf avatar Apr 26 '24 02:04 Colecf