I
would recommend fixing it since it's potentially remote code execution
on systems like Redis (latest versions of Redis have this mitigated)
though I must admit I don't fully understand the complexity since there
are multiple issues linked. Go was also assigned a CVE for linked issue
and it seemed to be the same reporter by username : CVE-2019-9741 . I
tried using go's approach in the commit but urlopen accepts more URLs
like data URLs [0] that seemed to accept \n as a valid case and the
patch broke some tests. Looking at the issue discussion complexity also
involves backwards compatibility. golang also pushed an initial fix that
seemed to broke their internal tests [0] to arrive at a more simpler
fix.