Switched from using urllib2 to requests.

urllib2 is a security hazzard, it does not perform certificate checks against a trust root by default, nor does it perform service_identity checks. Also, requests has a prettier API.
2026-04-26 08:39:19 -04:00 · 2014-11-18 08:13:06 -08:00 · 2014-11-18 08:13:06 -08:00 · efaec60e6b
commit efaec60e6b
parent ec92f6d935
3 changed files with 12 additions and 11 deletions
--- a/letsencrypt/client/client.py
+++ b/letsencrypt/client/client.py
@ -1,10 +1,7 @@
 #!/usr/bin/env python

 import M2Crypto
-import urllib2, json
-# XXX TODO: per https://docs.google.com/document/pub?
-#id=1roBIeSJsYq3Ntpf6N0PIeeAAvu4ddn7mGo6Qb7aL7ew
-# urllib2 is unsafe (!) and must be replaced
+import json
 import os, grp, pwd, sys, time, random, sys, shutil

 # This line suppresses the no logging found for module 'jose' warning
@ -22,6 +19,8 @@ from Crypto.PublicKey import RSA
 from Crypto.Signature import PKCS1_v1_5
 from Crypto.Hash import SHA256

+import requests
+
 from letsencrypt.client.acme import acme_object_validate
 from letsencrypt.client.sni_challenge import SNI_Challenge
 from letsencrypt.client.payment_challenge import Payment_Challenge
@ -478,10 +477,10 @@ class Client(object):
    def send(self, json_obj):
        try:
            acme_object_validate(json.dumps(json_obj))
-            response = urllib2.urlopen(
-                self.server_url, json.dumps(json_obj)).read()
-            acme_object_validate(response)
-            return json.loads(response)
+            response = requests.get(self.server_url, json=json_obj)
+            body = response.content
+            acme_object_validate(body)
+            return response.json()
        except:
            logger.fatal("Send() failed... may have lost connection to server")
            sys.exit(8)
--- a/letsencrypt/client/recovery_contact_challenge.py
+++ b/letsencrypt/client/recovery_contact_challenge.py
@ -1,8 +1,9 @@
+import requests
+
 from letsencrypt.client.challenge import Challenge
 from letsencrypt.client import logger
 from letsencrypt.client.CONFIG import RECOVERY_TOKEN_EXT
-# TODO: Replace urllib2 because of lack of certificate validation checks
-import dialog, urllib2
+import dialog

 class RecoveryContact(Challenge):
    
@ -48,7 +49,7 @@ class RecoveryContact(Challenge):
        
    def poll(self, rounds = 10, quiet = True):
        for i in range(rounds):
-            if urllib2.urlopen(self.successURL).getcode() != 200:
+            if requests.get(self.successURL).status_code != 200:
                time.sleep(self.poll_delay)
            else:
                return True
--- a/setup.py
+++ b/setup.py
@ -71,6 +71,7 @@ setup(
    ],
    install_requires=[
        #'dialog',
+        'requests>=2.4.3',
        'protobuf',
        'python-augeas',
        'pycrypto',