On Fri, Apr 15, 2011 at 09:35:06AM +0100, Gustavo Narea wrote:
How come a description of how to exploit a security vulnerability comes before a release for said vulnerability? I'm talking about this: http://blog.python.org/2011/04/urllib-security-vulnerability-fixed.html
My understanding is that the whole point of asking people not to report security vulnerability publicly was to allow time to release a fix.
Yes, I agree with you. I am surprised that it made it to blog and just catching more attention (via Responses/Retweets) than what it is worth. FWIW, if we analyze the technical details more carefully, urllib/urllib2 as a library could have redirected to file:// url, but it is library and not web-server and person who wrote the server could catch the redirection and handle it at higher level too. This may sound less drastic than what it appears in the post. Anyways it was an issue and it is fixed. -- Senthil <calc> Knghtbrd: irc doesn't compile c code very well ;)