[issue43882] [security] urllib.parse should sanitize urls containing ASCII newline and tabs.
Florian Apolloner
report at bugs.python.org
Wed May 5 09:52:08 EDT 2021
Florian Apolloner <florian at apolloner.eu> added the comment:
Thank you for the kind words Michał. We (Django) are exactly in the position that you describe. Our validation, at least for now has to stay strict, exactly to prevent fallout further down the road (see https://github.com/django/django/pull/14349#pullrequestreview-652022529 for details).
Sure, we might have been a bit naive when relying on urllib.parse for parts of our validation routines, but this is why we have tests for this behavior. We can easily work around this fix and will issue a release shortly to prevent security issues for users on newer Python versions. But no matter how the Python code ends up in the long run, our validator (at least this specific class) cannot simply accept new URLs because a spec changed. We owe it to our users to keep in mind that relaxing the validation can cause other issues down the road.
----------
nosy: +apollo13
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue43882>
_______________________________________
More information about the Python-bugs-list
mailing list