Set HTTPSConnection.is_verified to False when using a forwarding proxy

Co-authored-by: abebeos <129396476+abebeos@users.noreply.github.com> Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
urllib3 · Jan 17, 2024 · bbba487 · bbba487
1 parent f862bfe
commit bbba487
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 7 deletions.
diff --git a/changelog/3267.bugfix.rst b/changelog/3267.bugfix.rst
@@ -0,0 +1,2 @@
+Fixed ``HTTPSConnection.is_verified`` to be set to ``False`` when connecting
+from a https proxy to a http target. It was set to ``True`` previously.
diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py
@@ -265,6 +265,13 @@ def is_connected(self) -> bool:
     def has_connected_to_proxy(self) -> bool:
         return self._has_connected_to_proxy
 
+    @property
+    def proxy_is_forwarding(self) -> bool:
+        """
+        Return True if a forwarding proxy is configured, else return False
+        """
+        return bool(self.proxy) and self._tunnel_host is None
+
     def close(self) -> None:
         try:
             super().close()
@@ -663,11 +670,14 @@ def connect(self) -> None:
         )
         self.sock = sock_and_verified.socket
 
-        # TODO: Set correct `self.is_verified` in case of HTTPS proxy +
-        #       HTTP destination, see
-        #       `test_is_verified_https_proxy_to_http_target` and
-        #       https://github.com/urllib3/urllib3/issues/3267.
-        self.is_verified = sock_and_verified.is_verified
+        # Forwarding proxies can never have a verified target since
+        # the proxy is the one doing the verification. Should instead
+        # use a CONNECT tunnel in order to verify the target.
+        # See: https://github.com/urllib3/urllib3/issues/3267.
+        if self.proxy_is_forwarding:
+            self.is_verified = False
+        else:
+            self.is_verified = sock_and_verified.is_verified
 
         # If there's a proxy to be connected to we are fully connected.
         # This is set twice (once above and here) due to forwarding proxies

diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py
@@ -1098,7 +1098,8 @@ def _validate_conn(self, conn: BaseHTTPConnection) -> None:
         if conn.is_closed:
             conn.connect()
 
-        if not conn.is_verified:
+        # TODO revise this, see https://github.com/urllib3/urllib3/issues/2791
+        if not conn.is_verified and not conn.proxy_is_verified:
             warnings.warn(
                 (
                     f"Unverified HTTPS request is being made to host '{conn.host}'. "

diff --git a/test/with_dummyserver/test_proxy_poolmanager.py b/test/with_dummyserver/test_proxy_poolmanager.py
@@ -105,7 +105,6 @@ def test_is_verified_http_proxy_to_https_target(self) -> None:
             assert r.status == 200
             assert_is_verified(http, proxy=False, target=True)
 
-    @pytest.mark.xfail(reason="see https://github.com/urllib3/urllib3/issues/3267")
     def test_is_verified_https_proxy_to_http_target(self) -> None:
         with proxy_from_url(self.https_proxy_url, ca_certs=DEFAULT_CA) as https:
             r = https.request("GET", f"{self.http_url}/")