Fix SSL verification precedence: Respect session.verify when method verify parameter is None #7075
+89
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…nce of verify settings. Added tests to validate behavior for various combinations of session and method verify parameters, ensuring correct application of environment variables and session settings.
…rify expected behavior without indicating a bug. This improves the readability and accuracy of the test documentation.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Potentially solves #5922, #5816, #3829 and #5921 by fixing a bug in SSL verification handling where
session.verify=Falsewas not properly respected when the method-levelverifyparameter wasNone(not explicitly provided). The environment variablesREQUESTS_CA_BUNDLEorCURL_CA_BUNDLEwould incorrectly override the session'sverifysetting.Problem
The previous implementation had a logical flaw in
Session.request()that checked if the method-levelverifyparameter wasTrueorNonebefore applying environment variables, but it did not consider the session'sverifysetting first. This meant:session.verify=Falseandverify=None(default), the code would still check environment variablesREQUESTS_CA_BUNDLEwere set to invalid paths, the request would fail even though the user explicitly disabled verification at the session levelSolution
Modified the verification logic in
sessions.pyto:TrueorNonebefore applying environment variablessession.verify=Falseis respected when no method-level override is providedCode Changes
Test Coverage
Added tests for all 9 combinations of
session.verifyand methodverifyparameters:session.verify=Truewith methodverify=True/None/Falsesession.verify=Nonewith methodverify=True/None/Falsesession.verify=Falsewith methodverify=True/None/False(the bug case)All tests validate that:
NoneTrueorNoneImpact
This fix ensures consistent and predictable SSL verification behavior, particularly for users who:
session.verify=Falsefor testing or development environmentsREQUESTS_CA_BUNDLEorCURL_CA_BUNDLEenvironment variables configuredBackward Compatibility
This change is backward compatible. It only fixes incorrect behavior where session settings were being ignored. All valid use cases continue to work as expected.