On 29/07/15 18:50, Guido van Rossum wrote:
I believe that in this particular case, the bug was fixed (by tightening the requirements for headers) because the bug can lead to security vulnerabilities. I think you can find more by Googling for keywords like "http header injection". The more recent Python 2.7 bugfix releases have specific exemptions from the backwards compatibility requirements for security fixes -- because their lifespan will still be many years (EOL of 2.7 is summer 2020).
That argument is valuable but it fails when considering that this fix will be present in 3.4.4 too, with a normal EOL. I am OK with that, though. As I said, I sent my first message for policy verification and to raise awareness.
:-).
PS: I rarely read python-dev. Too much traffic for me :-(.
-- Jesús Cea Avión _/_/ _/_/_/ _/_/_/ jcea@jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ Twitter: @jcea _/_/ _/_/ _/_/_/_/_/ jabber / xmpp:jcea@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz