CVE-2023-48052

# Cryptographic API Misuse Vulnerability : Missing SSL Certificate Validation Do not use unverified hostname or certificates in connection Do not disable HTTPS warnings ### Description: In the HTTPie 3.2.2 , there are sections where SSL certificate validation appears to be missing. Proper SSL certificate validation is a cornerstone of secure communication over HTTPS, and its absence can lead to severe security risks such as Man-In-The-Middle (MITM) attacks. In particular, the code does not enforce hostname verification or certificate validation, and it may also be suppressing HTTPS-related warnings that would typically alert a user to a potential security issue. ### Affected Version v3.2.2 ### Location: https://github.com/httpie/cli/blob/master/httpie/internal/update_warnings.py#L44 https://github.com/httpie/cli/blob/master/httpie/client.py#L33 ### Reference - CWE-295: Improper Certificate Validation - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor - CWE-319: Cleartext Transmission of Sensitive Information ### Expected Behavior: The expected behavior for any HTTPS connection is that the client should validate the SSL certificate provided by the server to ensure it is trusted, not expired, and matches the requested hostname. Additionally, any HTTPS warnings should be displayed to the user, rather than being disabled, to avoid security oversights. ### Actual Behavior: The actual behavior observed in the code indicates that SSL certificate validation may not be properly enforced. Furthermore, HTTPS warnings that are essential for debugging and security awareness are not displayed, potentially causing the users to remain unaware of misconfigured or insecure SSL implementations. ### Recommendation - Do not use `urllib3.disable_warnings()` to close tls warning , it is so dangerous! Please delete it. - Set get request `verify=True` ,it will do ssl certificate validation. Due to the sensitive nature of data transmitted over HTTPS, it is imperative to address this vulnerability promptly to maintain the integrity and confidentiality of client-server communication for HTTPie users.