[docs] [issue9983] please add a large NOTE explaining that urllib does not perform any ssl validation

david report at bugs.python.org
Wed Sep 29 16:32:10 CEST 2010

david <db.pub.mail at gmail.com> added the comment:

Yes totally imho these modules should get fixed to actually do ssl checking.
This means that most users of these methods, even if they think they
are doing it properly as per the ssl module page, are still vulnerable
to attack.

I will add this comment to the bug you linked to above.
As an example, it only took a few minutes to confirm that the default
bzr install on ubuntu is vulnerable ->
(bzr is only vulnerable if pycurl isn't installed but pycurl is only a
suggestion not a dependency ... ).


Python tracker <report at bugs.python.org>

More information about the docs mailing list