On Fri, 19 Feb 2016 21:38:44 -0300 Jeremías Casteglione <debian@jrms.com.ar> wrote: > Package: wnpp > Severity: wishlist > Owner: "Jeremías Casteglione" <debian@jrms.com.ar> > > * Package name : acme-tiny > Version : 20151229 > Upstream Author : Daniel Roesler <diafygi@gmail.com> > * URL : https://github.com/diafygi/acme-tiny > * License : MIT > Programming Lang: Python > Description : letsencrypt tiny python client > > acme-tiny is a tiny script to issue and renew TLS certs from Let's Encrypt >PLEASE READ THE SOURCE CODE! Ok. :) The error handling in the whole script but especially in the wellknown-file writing section is a bit lacking. It can easily happen that a wellknown file is left in place, if some exception happens. Or even in the common path where the validation did not pass. Also I don't like the part where it does urlopen(challenge['uri']) This essentially opens any url, that can even be a local file, that the remote end said it wants to open. I think the uri should be validated before being passed to urlopen(). The connection the 'challenge' was retrieved through is https, but we'd still have to trust the other end not sending us funky uris. And I'm not sure about the github fork network. There seem to be forks that added major stuff to the code and also (from a quick look) addressed the exception bug from above. -- Michael
Attachment:
pgpuf5KRrvBUg.pgp
Description: OpenPGP digital signature