jkbrzt
commented
6 months ago I assume this is based on the bogus CVE-2023-48052.
Do not use urllib3.disable_warnings() to close tls warning , it is so dangerous! Please delete it.
Even though the printing of warnings to the terminal is disabled, SSL verification still does occur — unless the user disables it via --verify=no. We don’t want SSL warnings in the output. Please see https://urllib3.readthedocs.io/en/stable/advanced-usage.html#tls-warnings
Set get request verify=True ,it will do ssl certificate validation.
verify=False is only used for internal version check requests to a hard-coded URL, not the actual user requests.
(Yes, it was left there unintentionally, and we’ll remove it in the upcoming release, but it poses no danger.)
Do not use unverified hostname or certificates in connection
Do not disable HTTPS warnings
Description:
In the HTTPie 3.2.2 , there are sections where SSL certificate validation appears to be missing. Proper SSL certificate validation is a cornerstone of secure communication over HTTPS, and its absence can lead to severe security risks such as Man-In-The-Middle (MITM) attacks. In particular, the code does not enforce hostname verification or certificate validation, and it may also be suppressing HTTPS-related warnings that would typically alert a user to a potential security issue.
Affected Version
v3.2.2
Location:
https://github.com/httpie/cli/blob/master/httpie/internal/update_warnings.py#L44 https://github.com/httpie/cli/blob/master/httpie/client.py#L33
Reference
Expected Behavior:
The expected behavior for any HTTPS connection is that the client should validate the SSL certificate provided by the server to ensure it is trusted, not expired, and matches the requested hostname. Additionally, any HTTPS warnings should be displayed to the user, rather than being disabled, to avoid security oversights.
Actual Behavior:
The actual behavior observed in the code indicates that SSL certificate validation may not be properly enforced. Furthermore, HTTPS warnings that are essential for debugging and security awareness are not displayed, potentially causing the users to remain unaware of misconfigured or insecure SSL implementations.
Recommendation
urllib3.disable_warnings()to close tls warning , it is so dangerous! Please delete it.verify=True,it will do ssl certificate validation.Due to the sensitive nature of data transmitted over HTTPS, it is imperative to address this vulnerability promptly to maintain the integrity and confidentiality of client-server communication for HTTPie users.