Support (or don't support) including a port number in --trusted-host · Issue #6886 · pypa/pip (original) (raw)
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Closed
frostming opened this issue
Aug 16, 2019
· 5 comments · Fixed by #6909
Comments
What's the problem this feature will solve?
Refer to #6705
for HTTP indexes, --trusted-host
option should be sans-port, if you give a port part then it aborts:
$ pip install -i http://localtest.me:5000 urllib3 --trusted-host localtest.me:5000
Looking in indexes: http://localtest.me:5000
Collecting urllib3
The repository located at localtest.me is not a trusted or secure host and is being ignored. If this repository is available via HTTPS we recommend you use HTTPS instead, otherwise you may silence this warning and allow it anyway with '--trusted-host localtest.me'.
Could not find a version that satisfies the requirement urllib3 (from versions: )
No matching distribution found for urllib3
While for HTTPS indexes, --trusted-host
should carry the port. (Now a fix is landed on master to support both, with port and without port).
Describe the solution you'd like
Pip should handle trusted-host correctly, whether the host has a port part or not.
with --trusted-host example.org
you trust all the subpaths and wildcard ports on the same host.
with --trusted-host example.org:8080
you only trust requests to 8080 port.
Alternative Solutions
Additional context
cjerdonek changed the titlePip should handle trusted-host correctly whether it contains port part. Support (or don't support) including a port number in --trusted-host
To add more info to the description above, currently, pip "happens" to behave correctly for HTTPS URL's when --trusted-host
includes a port number. I say "happens" because it's not supported for HTTP URL's, and the support is undocumented for HTTPS URL's; the documentation just says "hostname":
--trusted-host <hostname>
Mark this host as trusted, even though it does not have valid or any HTTPS.
So the question is whether to officially support port numbers or not. If so, we should add support for HTTP and update the documentation to say that port numbers are allowed. If not, we should probably deprecate allowing port numbers to be included in --trusted-host
values (for both HTTP and HTTPS).
@frostming I'm thinking we should add official support for this, in part because pip's code is already structured to support it. Would you be able to work up a PR? It's probably easiest to do it after PR #6903 is merged (or build the changes on top of those changes).
PR #6903 has been merged, FYI.
@cjerdonek Great, I will take a look when I get a chance.
@cjerdonek I have created a PR #6909 together with some test cases to illustrate the changes.
lock bot added the auto-locked
Outdated issues that have been locked by automation
label
lock bot locked as resolved and limited conversation to collaborators
2 participants