No check of host certificate

Question

No check of host certificate

cym13 opened this issue 7 years ago · 2 comments

All calls with request.get have disabled certificate verification. This puts the user in danger of a man in the middle.

While the information in those pages isn't private this opens the door to modification of the results. Those results are then printed on screen.

One possible attack scenario is to inject terminal control characters. Some terminal emulators allow things like writing a log to a file through control characters. This could therefore lead to remote code execution.

I see no good reason to disable those security features and recommend turning them on.

Answer 1 · 2017-04-17T16:34:24.000Z

Thanks... 👍 Yes SSL must be enabled...

Answer 2 · 2017-04-17T16:47:01.000Z

Instructions to fix the issue

Comment in this issue if you are interested 👍
Find all lines containing:

requests.get(soqurl + query, verify=False)

Change it to:

requests.get(soqurl + query)

Submit a new Pull request ⭐️