Home > Software design >  python3 security question, os.system('wget...') vs urllib.request.urlopen(...)
python3 security question, os.system('wget...') vs urllib.request.urlopen(...)

Time:10-04

Today I faced a strange behavior in a headless driven print server (RaspPi / python3).

I need to download both, either PDFs or rendered python scripts, from a web server. Until now I did use:

src = "https://ssl.server.tld/path/to/file.pdf"
target = "/path/to/saved.pdf"

os.system("wget -O " target " " src)

From now on I use:

with urllib.request.urlopen(src) as response, open(target, 'wb') as out_file:
    data = response.read()
    out_file.write(data)

Here's the question: Since a couple of days obviously the SSL certificate is outdated. The os.system() version throws a NON-PYTHON ERROR

https://ssl.***.de/config_page.py
Auflösen des Hostnamen »ssl.***.de (ssl.***s.de)«... 176.***.***.10
Verbindungsaufbau zu ssl.***.de (ssl.***.de)|176.***.***.10|:443... verbunden.
FEHLER: Dem Zertifikat von »ssl.***.de« wird nicht vertraut.
FEHLER: Das Zertifikat von »ssl.***.de« ist abgelaufen.

As I mentioned, there is no python error or exception, the file I want is being downloaded, but with a size of 0 bytes. Only the debugger shows the text quoted above in the console output.

The urllib version runs as desired, without errors, without console output, and with the correct file.

What am I missing ? Is this a special security behavior of os.system() ?

Thanks for your answers.

CodePudding user response:

As you can tell, wget is verifying the certificate while urlopen isn't.

If you want wget to skip checking the certificate, add the argument --no-check-certificate

  • Related