-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Striped square brackets from host IP #2241
Conversation
I also looked into stripping out the brackets further up the stack |
Codecov Report
@@ Coverage Diff @@
## main #2241 +/- ##
===========================================
- Coverage 100.00% 99.27% -0.73%
===========================================
Files 25 25
Lines 2478 2478
===========================================
- Hits 2478 2460 -18
- Misses 0 18 +18
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure about the right place to stripping out the brackets would be match_hostname
function, but the implementation and tests look good to me.
Also, I think we need to backport it to 1.26.x
I wonder if there's a better place to do this within the proxy flow? |
The alternative I tried was to strip them out in PoolManager.connection_from_host but this failed. Looking a bit deeper this appears to be because HTTPSConnection.set_tunnel requires the square brackets to be in place. Which I guess is why they were left in place in the first place. I could strip them out in connection_from_host and then put them |
Rebased |
When comparing host IP to a cert subjectAltName->"IP Address" ensure were strip square brackets from IPv6 addresses.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This much more localized implementation looks good to me, thank you!
Would love an integration test too, especially one that tests proxies too (cc @jalopezsilva).
The integration test on 1.26.x will probably reveal a slightly more complex route for 1.26.x because iirc we don't unconditionally use our implementation of ssl_match_hostname()
there. Will have to take a peek.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Applied type hint updates and made mypy happy with the branch. One of the changes was switching from Dict
-> Mapping
for the cert type, mypy was complaining for variance/covariance.
Since I made changes myself I'll wait for someone else to review as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me!
@sethmlarson, should I add the proxy integration directly here or wait until we merge it? |
@jalopezsilva Let's merge this then you can add the proxy integration after. I think this one may be non-trivial to backport, maybe you can look at this a bit too? |
When comparing host IP to a cert subjectAltName->"IP Address"
ensure were strip square brackets from IPv6 addresses.
Fixes: #2240