Bug 1286799 - mozboot: Use requests to download rustup manifest. r=gps

Python urllib2 doesn't validate https origins in all versions. During actual bootstrap the static hash values act as an out-of-bound validatation channel. However, that doesn't help when doing the initial download and hash generation when invoked as `python rust.py [--update]`. Fortunately we don't expect to be called this way in standalone mode, so we can use the in-tree requests module to fetch things properly. MozReview-Commit-ID: KZTtIXDfWTB --HG-- extra : rebase_source : 14c505797a74de16a7e9bec1f791c0b4659d2932
2016-11-18 13:02:25 -08:00 · 2016-11-18 13:02:25 -08:00 · 067cedbf09
--- a/python/mozboot/mozboot/rust.py
+++ b/python/mozboot/mozboot/rust.py
@ -107,15 +107,11 @@ def rustup_latest_version():

 def http_download_and_hash(url):
    import hashlib
-    import urllib2
-    f = urllib2.urlopen(url)
+    import requests
    h = hashlib.sha256()
-    while True:
-        data = f.read(4096)
-        if data:
-            h.update(data)
-        else:
-            break
+    r = requests.get(url, stream=True)
+    for data in r.iter_content(4096):
+        h.update(data)
    return h.hexdigest()

 def make_checksums(version, validate=False):
@ -141,6 +137,14 @@ if __name__ == '__main__':
    # even if there's network delay.
    sys.stdout = os.fdopen(sys.stdout.fileno(), 'w', 0)

+    # Hook the requests module from the greater source tree. We can't import
+    # this at the module level since we might be imported into the bootstrap
+    # script in standalone mode.
+    #
+    # This module is necessary for correct https certificate verification.
+    mod_path = os.path.dirname(__file__)
+    sys.path.insert(0, os.path.join(mod_path, '..', '..', 'requests'))
+
    update = False
    if len(sys.argv) > 1:
        if sys.argv[1] == '--update':