-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix inconsistent behavior of trusted host #6709
Conversation
Can you separate this into two PR's?
|
Also, I think you should at least do the deprecation warning when the |
307da8d
to
1719bf5
Compare
@cjerdonek Oh sure, does the deprecation still work if the value is read from |
Yes, config values go through those option handling functions, too. |
src/pip/_internal/download.py
Outdated
@@ -598,6 +598,9 @@ def __init__(self, *args, **kwargs): | |||
def add_insecure_host(self, host): | |||
# type: (str) -> None | |||
self.mount('https://{}/'.format(host), self._insecure_adapter) | |||
if ":" not in host: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't you be using some parsing function (e.g. based on urllib_parse.urlparse()
)? It doesn't seem like this would work e.g. with IPv6 addresses.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I tried the function but it didn't work for the scheme missing. Is there a more elegant way to do this than supplying the scheme to form a full URL?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, a scheme is being added above anyways, so it wouldn’t require doing more than what’s already being done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmmm, things get complicated when counting with IPv6 addresses, need a utility function to reliably construct a URL with IPv6 host(and potentially port).
src/pip/_internal/download.py
Outdated
@@ -598,6 +598,9 @@ def __init__(self, *args, **kwargs): | |||
def add_insecure_host(self, host): | |||
# type: (str) -> None | |||
self.mount('https://{}/'.format(host), self._insecure_adapter) | |||
if not urllib_parse.urlparse('https://{}/'.format(host)).port: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the delay. Can you make this line into a unit-testable function? It can be something like does_netloc_have_port(netloc)
and be put before split_auth_from_netloc()
. It will be easy to test that way, and you can follow the example of how the related functions are tested. It would also be easy to include a couple IPv6 tests among those so people can see what happens to those (as well as other edge cases).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change as requested.
Hello! I am an automated bot and I have noticed that this pull request is not currently able to be merged. If you are able to either merge the |
b7ecf78
to
ddc9ccf
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some additional (final?) comments..
fc163e5
to
10b0a96
Compare
10b0a96
to
bbae384
Compare
@frostming I squashed your commits and made some minor finishing changes, in preparation for merging. Thanks for your patience and for your excellent work on this! 💯 |
Thanks again! |
Closes #6705
Propose for a hostname without port for the trusted-host option value and deprecate the other manner. Make sure all ports are recognized as insecure sources for the same host.