VYPR
← All advisories
High severityNVD Advisory· Published Aug 6, 2013· Updated Apr 29, 2026

CVE-2013-1630

CVE-2013-1630

Description

pyshop before 0.7.1 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a download operation.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pyshopPyPI
< 0.7.10.7.1

Affected products

7
  • Guillaume Gauvrit/Pyshop7 versions
    cpe:2.3:a:guillaume_gauvrit:pyshop:*:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:a:guillaume_gauvrit:pyshop:*:*:*:*:*:*:*:*range: <=0.7
    • cpe:2.3:a:guillaume_gauvrit:pyshop:0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:guillaume_gauvrit:pyshop:0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:guillaume_gauvrit:pyshop:0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:guillaume_gauvrit:pyshop:0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:guillaume_gauvrit:pyshop:0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:guillaume_gauvrit:pyshop:0.6:*:*:*:*:*:*:*

Patches

1
ffadb0bcdef1

Improve security when downloading from pypi

https://github.com/mardiros/pyshopGuillaume GauvritFeb 6, 2013via ghsa
commit
4 files changed · +3472 3
  • MANIFEST.in+1 1 modified
    @@ -1,2 +1,2 @@
 include *.txt *.ini *.cfg *.rst
-recursive-include pyshop *.ico *.png *.css *.scss *.txt *.js *.html *.pot *.po
+recursive-include pyshop *.ico *.png *.css *.scss *.txt *.js *.html *.pot *.po *.pem
  • pyshop/helpers/download.py+6 1 modified
    @@ -33,7 +33,12 @@ def __call__(self, value, system):
                 if not os.path.exists(dir_):
                     os.makedirs(dir_, 0750)
 
-                resp = requests.get(value['url'])
+                if value['url'].startswith('https://pypi.python.org'):
+                    verify = os.path.join(os.path.dirname(__file__), 'pypi.pem')
+                else:
+                    verify = value['url'].startswith('https:')
+
+                resp = requests.get(value['url'], verify=verify)
                 with open(f, 'wb') as rf:
                     rf.write(resp.content)
                 return resp.content
  • pyshop/helpers/pypi.pem+3460 0 added
  • pyshop/views/repository.py+5 1 modified
    @@ -6,8 +6,12 @@ def get_release_file(root, request):
     session = DBSession()
 
     f = ReleaseFile.by_id(session, int(request.matchdict['file_id']))
+    url = f.url
+    if url.startswith('http://pypi.python.org'):
+        url = 'https' + url[4:]
+
     rv = {'id': f.id,
-          'url': f.url,
+          'url': url,
           'filename': f.filename,
           }
     f.downloads += 1

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.