cert_fingerprint option is ignored: fingerprints aren't verified!

Sebastian Spaeth Sebastian at SSpaeth.de
Thu Apr 19 17:31:47 BST 2012


James Cook <james.cook at utoronto.ca> writes:

> I've found a bug in the code that checks fingerprints: namely,  
> fingerprints are never actually checked.

> The cause: imaplibutil.py checks for ssl support by checking if 'ssl'  
> is in locals(),
> but it should check globals(), since ssl is not a local variable.

Ooops, thanks for reporting. This is an embarassing one. Rather than
using globals() (as would be the correct fix), I have removed the
superfluous ssl check completely. We now rely on python2.6 and import
ssl unconditionally in any case now.

I checked in the fix as commit 895e709bf23eea3b8f546f240317580e34251cf3
into the 'next' branch, so it will be part of the next release.

Again, thanks for reporting.

P.S. I tested that cert_fingerprint is actually required and used now.

Sebastian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/offlineimap-project/attachments/20120419/d10e900c/attachment.sig>


More information about the OfflineIMAP-project mailing list