hotot bypasses certificate checking when connecting to a service

GoogleCodeExporter commented 9 years ago

Inspired by the same bug in gwibber 
(https://bugs.launchpad.net/gwibber/+bug/705363), heybuddy 
(https://bugs.launchpad.net/heybuddy/+bug/798300) and pino 
(http://code.google.com/p/pino-twitter/issues/detail?id=339) I checked hotot 
and it failed the same way :(

What steps will reproduce the problem?
1. put "127.0.0.1 identi.ca" in /etc/hosts and start a ssl-enabled httpd
2. Start hotot
3. add a new identi.ca account
4. hotot will try to request a token and raise 404 as there is no statusnet 
installed on localhost

What is the expected output? What do you see instead?
Expected: Some sort of SSL error.
Instead hotot connects to the bad host, I can see the following in the log of 
the apache running there:

my.ip.addr.ess - - [17/Jun/2011:15:25:48 +0200] "GET 
/api/account/verify_credentials.json?source=Hotot HTTP/1.1" 404 1618 "-" 
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.26+ (KHTML, like Gecko) 
Version/5.0 Safari/534.26+"

What version of the product are you using? On what operating system?
hotot from mercurial, rev 841:f4172283d4af, Debian GNU/Linux Sid amd64

Original issue reported on code.google.com by zhen...@gmail.com on 17 Jun 2011 at 1:37

GoogleCodeExporter commented 9 years ago

Original comment by 5h3l...@gmail.com on 17 Jun 2011 at 4:05

Added labels: Security

GoogleCodeExporter commented 9 years ago

move to https://github.com/shellex/Hotot/issues/15

Original comment by 5h3l...@gmail.com on 7 Oct 2011 at 12:22

GoogleCodeExporter commented 9 years ago

Original comment by 5h3l...@gmail.com on 7 Oct 2011 at 12:22

Changed state: Done

neharob / hotot

hotot bypasses certificate checking when connecting to a service #388