mirrors/uv
1
0
Fork 0
mirror of https://github.com/astral-sh/uv.git synced 2025-11-25 05:33:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Require HTTPS for CDN requests (#15660)

Browse source 
## Summary

This should arguably enforce same-realm (as the API), but this is a good
guardrail for now.
This commit is contained in:
Charlie Marsh 2025-09-03 09:32:12 -04:00 committed by GitHub
parent ad35d120d6
commit 8473ecba11
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 8 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

9
crates/uv-auth/src/pyx.rs
View file

@ -539,7 +539,7 @@ fn is_known_url(url: &Url, api: &DisplaySafeUrl, cdn: &str) -> bool {
//
// For example, if URL is on `files.astralhosted.com` and the CDN domain is
// `astralhosted.com`, consider it known.
if matches_domain(url, cdn) {
if matches!(url.scheme(), "https") && matches_domain(url, cdn) {
return true;
}
@ -603,6 +603,13 @@ mod tests {
cdn_domain
));
// CDN on HTTP.
assert!(!is_known_url(
&Url::parse("http://astralhosted.com/packages/").unwrap(),
&api_url,
cdn_domain
));
// Unknown domain.
assert!(!is_known_url(
&Url::parse("https://pypi.org/simple/").unwrap(),