Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://mail.python.org/pipermail/python-dev/2017-July/148706.html below:

[Python-Dev] Need help to fix urllib(.parse) vulnerabilities

• Previous message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
• Next message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Jul 21, 2017, at 3:45 AM, Victor Stinner <victor.stinner at gmail.com> wrote:
> 
> Ok, I more concrete problem. To fix the "urllib FTP" bug, we have to
> find a balance between security (reject any URL looking like an
> attempt to counter the security protections) and backward
> compatibility (accept filenames containing newlines).

For this case, the balance should probably tilt more towards security than backwards compatibility.   I would be very concerned about such odd URLs.  

That said, if backwards compatibility is going to be broken, consider giving users a temporary, clean way to opt-out of the additional projections (don't want to leave them high and dry if they happen to have a legitimate use case).


Raymond

• Previous message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
• Next message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4