New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make pyOpenSSL skip DNS names which can't be idna-encoded #1406
Conversation
encoded. See #1405 and #requests/requests/4569
urllib3/contrib/pyopenssl.py
Outdated
] | ||
# We also want to skip over names which cannot be idna encoded. | ||
names = [] | ||
for name in ext.get_values_for_type(x509.DNSName): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could instead do
names = [
('DNS', name) for name in map(_dnsname_to_stdlib, ext.get_values_for_type(x509.DNSName))
if name is not None
]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll change to that! I never think to use map
. :)
Codecov Report
@@ Coverage Diff @@
## master #1406 +/- ##
======================================
Coverage 100% 100%
======================================
Files 21 21
Lines 1788 1788
======================================
Hits 1788 1788 Continue to review full report at Codecov.
|
Made the changes you suggested @sigmavirus24. |
Checked the patch and it's working for the site specified in the original issue: Before patch: >>> import requests
>>> requests.get("https://earthlingsoft.net/UnicodeChecker/appcast.xml")
Traceback (most recent call last):
File "C:\Users\sethm\Desktop\urllib3\venv\lib\site-packages\idna\core.py", line 271, in alabel
ulabel(label)
File "C:\Users\sethm\Desktop\urllib3\venv\lib\site-packages\idna\core.py", line 311, in ulabel
check_label(label)
File "C:\Users\sethm\Desktop\urllib3\venv\lib\site-packages\idna\core.py", line 261, in check_label
raise InvalidCodepoint('Codepoint {0} at position {1} of {2} not allowed'.format(_unot(cp_value), pos+1, repr(label)))
idna.core.InvalidCodepoint: Codepoint U+2603 at position 1 of '☃' not allowed
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "C:\Users\sethm\Desktop\urllib3\venv\lib\site-packages\requests\api.py", line 72, in get
return request('get', url, params=params, **kwargs)
File "C:\Users\sethm\Desktop\urllib3\venv\lib\site-packages\requests\api.py", line 58, in request
return session.request(method=method, url=url, **kwargs)
File "C:\Users\sethm\Desktop\urllib3\venv\lib\site-packages\requests\sessions.py", line 512, in request
resp = self.send(prep, **send_kwargs)
File "C:\Users\sethm\Desktop\urllib3\venv\lib\site-packages\requests\sessions.py", line 622, in send
r = adapter.send(request, **kwargs)
File "C:\Users\sethm\Desktop\urllib3\venv\lib\site-packages\requests\adapters.py", line 445, in send
timeout=timeout
File "C:\Users\sethm\Desktop\urllib3\urllib3\connectionpool.py", line 600, in urlopen
chunked=chunked)
File "C:\Users\sethm\Desktop\urllib3\urllib3\connectionpool.py", line 343, in _make_request
self._validate_conn(conn)
File "C:\Users\sethm\Desktop\urllib3\urllib3\connectionpool.py", line 849, in _validate_conn
conn.connect()
File "C:\Users\sethm\Desktop\urllib3\urllib3\connection.py", line 367, in connect
cert = self.sock.getpeercert()
File "C:\Users\sethm\Desktop\urllib3\urllib3\contrib\pyopenssl.py", line 351, in getpeercert
'subjectAltName': get_subj_alt_name(x509)
File "C:\Users\sethm\Desktop\urllib3\urllib3\contrib\pyopenssl.py", line 228, in get_subj_alt_name
for name in ext.get_values_for_type(x509.DNSName)
File "C:\Users\sethm\Desktop\urllib3\urllib3\contrib\pyopenssl.py", line 228, in <listcomp>
for name in ext.get_values_for_type(x509.DNSName)
File "C:\Users\sethm\Desktop\urllib3\urllib3\contrib\pyopenssl.py", line 181, in _dnsname_to_stdlib
name = idna_encode(name)
File "C:\Users\sethm\Desktop\urllib3\urllib3\contrib\pyopenssl.py", line 179, in idna_encode
return idna.encode(name)
File "C:\Users\sethm\Desktop\urllib3\venv\lib\site-packages\idna\core.py", line 361, in encode
s = alabel(label)
File "C:\Users\sethm\Desktop\urllib3\venv\lib\site-packages\idna\core.py", line 273, in alabel
raise IDNAError('The label {0} is not a valid A-label'.format(label))
idna.core.IDNAError: The label b'xn--n3h' is not a valid A-label After patch: >>> import requests
>>> requests.get('https://earthlingsoft.net/UnicodeChecker/appcast.xml')
<Response [200]> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now if only there was a merge-when-CI-passes button. 🤔 |
@SethMichaelLarson GitLab has that feature. |
Thanks @sigmavirus24 for the review. :) |
@sethmlarson @sigmavirus24 Refined Github has that feature :) |
See #1405 and psf/requests#4569.