Closed Tethik closed 9 years ago
The connection to production and test environments are using unverified SSL connections. This means a MITM attack can easily take over traffic, despite SSL.
Offending code resides in the RequestsTransport class. Verify should not be False.
Verify
def open(self, request): """Fetches the WSDL specification using certificates.""" self.addcredentials(request) resp = requests.get(request.url, data=request.message, headers=request.headers, cert=self.cert, verify=False) result = StringIO.StringIO(resp.content.decode('utf-8')) return result def send(self, request): """Posts to SOAP service using certificates.""" self.addcredentials(request) resp = requests.post(request.url, data=request.message, headers=request.headers, cert=self.cert, verify=False) result = Reply(resp.status_code, resp.headers, resp.content) return result
The connection to production and test environments are using unverified SSL connections. This means a MITM attack can easily take over traffic, despite SSL.
Offending code resides in the RequestsTransport class.
Verifyshould not be False.