Pythons Restskit[1][2][3][4] does not properly validate TLS
(see https://github.com/benoitc/restkit/issues/140). It appears to simply use
ssl.wrap_socket from the standard library, which does not do any validation
by default. This can be verified by doing:
>>> from restkit import request
>>> r = request("https://tv.eurosport.com/";)
>>> r.body_string()
'<HTML><HEAD>...'
[1] https://github.com/benoitc/restkit
[2] https://pypi.python.org/pypi/restkit
[3] http://restkit.readthedocs.org/en/latest/
[4] https://benoitc.github.io/restkit/index.html
---
Authored by Donald Stufft
↧
Pythons Restkit HTTP resource kit does not validate TLS which means it's HTTPS handling is broken and insecure
↧