PTC-W6002 · Audit required: Server hostname may not be verified

Audit required: Server hostname may not be verified PTC-W6002

Security

Major

8 months ago — 8 months old

Unverified server hostname. Please use context.check_hostname = True to set up hostname validation.

105
106
107def tar_something():
108    context = ssl._create_stdlib_context()109    os.tempnam("dir1")
110    subprocess.Popen("/bin/chown *", shell=True)
111    o.system("/bin/tar xvzf *")

Description

It is recommended to validate server certificate's hostname specific data with the server hostname during SSL/TLS sessions to protect it from man-in-the-middle attacks.

In the highlighted code, the hostname validation is not enabled by default and it needs to be turned on. Please see the occurrence message for details.

Not preferred:

import ssl

context = ssl._create_stdlib_context()  # by default hostname verification is not done

Preferred:

import ssl

context = ssl._create_stdlib_context()
context.check_hostname = True  # Explicitly set `check_hostname` to True

deepsourcestatus / test-repository

Not preferred:

Preferred:

References