New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't require cacerts.txt to be on disk #241
Comments
Colecf
changed the title
Don't require ca_certs.txt to be on disk
Don't require cacerts.txt to be on disk
Apr 26, 2024
Sorry, yes importlib sounds like best option. I'll try to broad API to also
accept file-like object or straight single use read() function.
Please let me know of any security concerns against that.
…On Fri, 26 Apr 2024, 03:32 Cole Faust, ***@***.***> wrote:
Hi,
In the android (AOSP) build system, we build python binaries into single
executables that are run without extracting them to disk. httplib2's
builtin ca_certs.txt is loaded as such:
BUILTIN_CA_CERTS = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "cacerts.txt"
)
# later used as:
context.load_verify_locations(ca_certs)
This doesn't work in our python binaries, because __file__ is the path to
a file inside of a zip archive. Ideally httplib2 would load the builtin
file using importlib.resources and pass it to load_verify_locations using
the cadata= parameter.
httplib2 also has the ability to load a ca_certs_locater module to
customize the cacerts location, but it expects the get() function to
return the path to a file, so even if we were to provide our own locater it
would run into similar issues. We could extract a cacerts.txt to disk,
but there's no way to know when httplib2 is done with it and the temporary
file could be cleaned up.
—
Reply to this email directly, view it on GitHub
<#241>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAGTMLLAUZIKGEK7YU2HH3Y7GOB7AVCNFSM6AAAAABGZ22J3WVHI2DSMVQWIX3LMV43ASLTON2WKOZSGI3DINZRGUYDQNA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Thanks! I don't think this should change the security concerns. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
In the android (AOSP) build system, we build python binaries into single executables that are run without extracting them to disk. httplib2's builtin ca_certs.txt is loaded as such:
This doesn't work in our python binaries, because
__file__
is the path to a file inside of a zip archive. Ideally httplib2 would load the builtin file usingimportlib.resources
and pass it toload_verify_locations
using thecadata=
parameter.httplib2 also has the ability to load a
ca_certs_locater
module to customize the cacerts location, but it expects theget()
function to return the path to a file, so even if we were to provide our own locater it would run into similar issues. We could extract acacerts.txt
to disk, but there's no way to know when httplib2 is done with it and the temporary file could be cleaned up.The text was updated successfully, but these errors were encountered: