Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://mail.python.org/pipermail/python-dev/2017-July/148700.html below:

[Python-Dev] Need help to fix urllib(.parse) vulnerabilities

• Previous message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
• Next message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2017-07-21 12:02 GMT+02:00 Victor Stinner <victor.stinner at gmail.com>:
> https://bugs.python.org/issue29606
> http://python-security.readthedocs.io/vuln/urllib_ftp_protocol_stream_injection.html#urllib-ftp-protocol-stream-injection
> => not fixed yet

Ok, I more concrete problem. To fix the "urllib FTP" bug, we have to
find a balance between security (reject any URL looking like an
attempt to counter the security protections) and backward
compatibility (accept filenames containing newlines).

Maybe we need to only reject an URL which contains a newline in the
"host" part, but accept them in the "path" part of the URL? The
question is if the code splits correctly "host" and "path" parts when
the URL contains a newline. My bet is that no, it behaves badly :-)

Victor

• Previous message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
• Next message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4