Opened at 2010-11-10T01:06:59Z

Last modified at 2011-01-02T18:55:49Z

#1254 assigned defect

eliminate use of urllib.urlopen in check_load

Reported by: davidsarah Owned by: davidsarah
Priority: major Milestone: soon
Component: code Version: 1.8.0
Keywords: security capleak Cc:
Launchpad Bug:

Description

As noted in ticket:1253#comment:9, we should not be using urllib.urlopen (or urllib2.urlopen) anywhere, because its use of proxy servers is in violation of our security model.

Change History (3)

comment:1 Changed at 2010-12-25T00:09:39Z by warner

The only uses I find are in some load-testing test utilities and in the ancient probably-doesn't-even-work-anymore "config wizard": 

% find src -name '*.py' |xargs grep urlopen
src/allmydata/gui/confwiz.py:    conn = urllib2.urlopen(url, argstr)
src/allmydata/test/check_load.py:    data = urllib.urlopen(url).read()
src/allmydata/test/check_load.py:    f = urllib.urlopen(url)

All our CLI tools use httplib.HTTPConnection (or HTTPSConnection).

Does this seem safe to close?

comment:2 Changed at 2010-12-26T03:20:41Z by davidsarah

  • Owner changed from somebody to davidsarah
  • Status changed from new to assigned

#1282 would remove the config wizard.

The check_load test, although it is currently bitrotten IIRC, is still useful and should be fixed. Using a proxy might cause it to fail for the wrong reason.

comment:3 Changed at 2011-01-02T18:55:49Z by davidsarah

  • Summary changed from eliminate all uses of urllib.urlopen to eliminate use of urllib.urlopen in check_load
Note: See TracTickets for help on using tickets.