search

hockeyprincess / google-api-dfp-python

Automatically exported from code.google.com/p/google-api-dfp-python
Apache License 2.0
0 stars 0 forks source link

failure to check ssl server certificate validity could allow for an mitm attack #5

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
failure to check ssl server certificate validity could allow for an mitm attack 
to be performed against this python project.
So do point out if I got this wrong ^ ^ :

in AuthToken.py we have the following code:

 def __Login(self):
    """Fetch Auth token and SID, LSID cookies from Google Account auth."""
    if self.__proxy: os.environ['http_proxy'] = self.__proxy
    url = 'https://www.google.com/accounts/ClientLogin'
    data = [('Email', self.__email),
            ('Passwd', self.__password),
            ('accountType', self.__account_type),
            ('service', self.__service),
            ('source', self.__source)]
    try:
      fh = urllib.urlopen(url, urllib.urlencode(data))
      try:
        tag, msg = fh.readline().split('=')

(fh = urllib.urlopen(url, urllib.urlencode(data))" is the problem line.)

---> this method I think gets used like this:

From Util.py

def GetAuthToken(email, password, service, lib_sig, proxy):
  """Return an authentication token for Google Account.

  If an error occurs, AuthTokenError is raised.

  Args:
    email: str Google Account's login email.
    password: str Google Account's password.
    service: str Name of the Google service for which to authorize access.
    lib_sig: str Signature of the client library.
    proxy: str HTTP proxy to use.

  Returns:
    str Authentication token for Google Account.
  """
  return AuthToken(email, password, service, lib_sig, proxy).GetAuthToken()

--->
which is called by DfpClient.py
DfpClient(...
def __init__(self, headers=None, config=None, path=None):

....
   # Load/set authentication token.
    try:
      if headers and 'authToken' in headers and headers['authToken']:
        self._headers['authToken'] = headers['authToken']
      elif 'email' in self._headers and 'password' in self._headers:
        self._headers['authToken'] = Utils.GetAuthToken(
            self._headers['email'], self._headers['password'],
            AUTH_TOKEN_SERVICE, LIB_SIG, self._config['proxy'])

(the self._headers['authToken'] = Utils.GetAuthToken() )

So I think it is used???? / by one of the examples????
I am not sure (it seems to send the users username and password using urllib 
here without wrapping it with something like the ssl module for example) but 
maybe I am mistaken?...

Original issue reported on code.google.com by db.pub.m...@gmail.com on 21 Nov 2010 at 10:25

GoogleCodeExporter commented 8 years ago 
Any news about this?

Original comment by rogerio....@gmail.com on 18 Jan 2011 at 6:44

GoogleCodeExporter commented 8 years ago 
Looking into it...

Original comment by api.sgri...@gmail.com on 27 Jan 2011 at 4:15

GoogleCodeExporter commented 8 years ago 
You are correct. The urllib and urllib2 modules in Python do not do any 
validation of the server certificate. It's also not very easy to do in Python 
below v2.6. Some description of this is available at 
http://www.muchtooscrawled.com/2010/03/https-certificate-verification-in-python-
with-urllib2/.

Anyone interested in writing a patch for this?

Original comment by api.sgri...@gmail.com on 27 Jan 2011 at 4:38