use pycurl instead of urllib2 when talking to launchpad to actually get SSL cert verification, see https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/915210 or CVE-2011-4407 for a previous similar issue in software-properties

2013-08-13 17:37:25 +02:00 · 2013-08-13 17:37:25 +02:00 · b69e7c92e7
commit b69e7c92e7
parent 1bb4c9ab25
1 changed files with 18 additions and 3 deletions
--- a/packaging/apt_repository
+++ b/packaging/apt_repository
@ -67,7 +67,7 @@ import json
 import os
 import re
 import tempfile
-import urllib2
+import pycurl

 try:
    import apt_pkg
@ -80,6 +80,12 @@ except ImportError:

 VALID_SOURCE_TYPES = ('deb', 'deb-src')

+class CurlCallback:
+    def __init__(self):
+        self.contents = ''
+
+    def body_callback(self, buf):
+        self.contents = self.contents + buf

 class InvalidSource(Exception):
    pass
@ -250,8 +256,17 @@ class UbuntuSourcesList(SourcesList):

    def _get_ppa_info(self, owner_name, ppa_name):
        lp_api = 'https://launchpad.net/api/1.0/~%s/+archive/%s' % (owner_name, ppa_name)
-        connection = urllib2.urlopen(lp_api, timeout=30)
-        return json.loads(connection.read())
+        callback = CurlCallback()
+        curl = pycurl.Curl()
+        curl.setopt(pycurl.SSL_VERIFYPEER, 1)
+        curl.setopt(pycurl.SSL_VERIFYHOST, 2)
+        curl.setopt(pycurl.WRITEFUNCTION, callback.body_callback)
+        curl.setopt(pycurl.URL, str(lp_api))
+        curl.setopt(pycurl.HTTPHEADER, ["Accept: application/json"])
+        curl.perform()
+        curl.close()
+        lp_page = callback.contents
+        return json.loads(lp_page)

    def _expand_ppa(self, path):
        ppa = path.split(':')[1]