search

twilio / twilio-python

A Python module for communicating with the Twilio API and generating TwiML.
MIT License
1.86k stars 711 forks source link

Request validator broken with HTTPS requests containing port numbers #392

Closed thomasst closed 7 years ago

thomasst commented 7 years ago

According to https://www.twilio.com/docs/api/security#notes the port number should be omitted in HTTPS requests for signature validation. RequestValidator.validate should take these rules into account and not require the user to strip out the number.

My current workaround is to parse and reencode the URL as follows, but this should happen within the validate() method:

parsed = urlparse.urlparse(uri)
if parsed.scheme == 'https':
    parsed = parsed._replace(netloc=parsed.netloc.split(':')[0])
    uri = parsed.geturl()

Internal ticket: https://www.twilio.com/console/support/tickets/1061656

Brodan commented 7 years ago

Just opened a PR for this fix @jingming @thomasst

394

codejudas commented 7 years ago

We'll get it out in the next release.

codejudas commented 7 years ago

This is in release 6.8.1