Don't require cacerts.txt to be on disk #241
Comments
Colecf
changed the title
|
Sorry, yes importlib sounds like best option. I'll try to broad API to also
accept file-like object or straight single use read() function.
Please let me know of any security concerns against that.
…On Fri, 26 Apr 2024, 03:32 Cole Faust, ***@***.***> wrote:
Hi,
In the android (AOSP) build system, we build python binaries into single
executables that are run without extracting them to disk. httplib2's
builtin ca_certs.txt is loaded as such:
BUILTIN_CA_CERTS = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "cacerts.txt"
)
# later used as:
context.load_verify_locations(ca_certs)
This doesn't work in our python binaries, because __file__ is the path to
a file inside of a zip archive. Ideally httplib2 would load the builtin
file using importlib.resources and pass it to load_verify_locations using
the cadata= parameter.
httplib2 also has the ability to load a ca_certs_locater module to
customize the cacerts location, but it expects the get() function to
return the path to a file, so even if we were to provide our own locater it
would run into similar issues. We could extract a cacerts.txt to disk,
but there's no way to know when httplib2 is done with it and the temporary
file could be cleaned up.
—
Reply to this email directly, view it on GitHub
<#241>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAGTMLLAUZIKGEK7YU2HH3Y7GOB7AVCNFSM6AAAAABGZ22J3WVHI2DSMVQWIX3LMV43ASLTON2WKOZSGI3DINZRGUYDQNA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
Thanks! I don't think this should change the security concerns. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
In the android (AOSP) build system, we build python binaries into single executables that are run without extracting them to disk. httplib2's builtin ca_certs.txt is loaded as such:
This doesn't work in our python binaries, because
__file__is the path to a file inside of a zip archive. Ideally httplib2 would load the builtin file usingimportlib.resourcesand pass it toload_verify_locationsusing thecadata=parameter.httplib2 also has the ability to load a
ca_certs_locatermodule to customize the cacerts location, but it expects theget()function to return the path to a file, so even if we were to provide our own locater it would run into similar issues. We could extract acacerts.txtto disk, but there's no way to know when httplib2 is done with it and the temporary file could be cleaned up.The text was updated successfully, but these errors were encountered: