search

KGIII / pino-twitter

Automatically exported from code.google.com/p/pino-twitter
GNU Lesser General Public License v3.0
0 stars 0 forks source link

pino bypasses certificate checking when connecting to a service #339

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
Inspired by the same bug in gwibber 
(https://bugs.launchpad.net/gwibber/+bug/705363) and heybuddy 
(https://bugs.launchpad.net/heybuddy/+bug/798300) I checked pino and it failed 
the same way :(

What steps will reproduce the problem?
1. Start pino
2. add new account, service "other", URL 
"https://badcert.dorei.kerker.die-welt.net/blub/"
3. save, pino will update the statuses happily, even if the SSL cert is 
snakeoil.

What is the expected output? What do you see instead?
Expected: Some sort of SSL error.
Instead pino connects to the bad host, I can see the following in the log of 
the apache running there:

my.ip.addr.ess - - [17/Jun/2011:12:02:33 +0200] "GET 
/blub/statuses/home_timeline.xml?count=20 HTTP/1.1" 404 1608 "-" "pino/0.2.11"
my.ip.addr.ess - - [17/Jun/2011:12:02:33 +0200] "GET 
/blub/statuses/home_timeline.xml?count=20 HTTP/1.1" 404 570 "-" "pino/0.2.11"
my.ip.addr.ess - - [17/Jun/2011:12:02:33 +0200] "GET 
/blub/statuses/home_timeline.xml?count=20 HTTP/1.1" 404 570 "-" "pino/0.2.11"
my.ip.addr.ess - - [17/Jun/2011:12:02:33 +0200] "GET 
/blub/statuses/mentions.xml?count=20 HTTP/1.1" 404 731 "-" "pino/0.2.11"
my.ip.addr.ess - - [17/Jun/2011:12:02:33 +0200] "GET 
/blub/statuses/mentions.xml?count=20 HTTP/1.1" 404 570 "-" "pino/0.2.11"
my.ip.addr.ess - - [17/Jun/2011:12:02:33 +0200] "GET 
/blub/statuses/mentions.xml?count=20 HTTP/1.1" 404 570 "-" "pino/0.2.11"
my.ip.addr.ess - - [17/Jun/2011:12:02:33 +0200] "GET 
/blub/direct_messages.xml?count=20 HTTP/1.1" 404 731 "-" "pino/0.2.11"
my.ip.addr.ess - - [17/Jun/2011:12:02:33 +0200] "GET 
/blub/direct_messages.xml?count=20 HTTP/1.1" 404 570 "-" "pino/0.2.11"
my.ip.addr.ess - - [17/Jun/2011:12:02:33 +0200] "GET 
/blub/direct_messages.xml?count=20 HTTP/1.1" 404 570 "-" "pino/0.2.11"
my.ip.addr.ess - - [17/Jun/2011:12:02:33 +0200] "GET /blub/users/show/asda.xml? 
HTTP/1.1" 404 731 "-" "pino/0.2.11"
my.ip.addr.ess - - [17/Jun/2011:12:02:33 +0200] "GET /blub/users/show/asda.xml? 
HTTP/1.1" 404 570 "-" "pino/0.2.11"
my.ip.addr.ess - - [17/Jun/2011:12:02:33 +0200] "GET /blub/users/show/asda.xml? 
HTTP/1.1" 404 570 "-" "pino/0.2.11"

What version of the product are you using? On what operating system?
pino 0.2.11-5, Debian GNU/Linux Sid amd64

Please provide any additional information below.
classic MITM here, please check against some system-provided list of trusted 
certs :)

Original issue reported on code.google.com by zhen...@gmail.com on 17 Jun 2011 at 10:15