[Python-Dev] Need help to fix urllib(.parse) vulnerabilities
Victor Stinner
victor.stinner at gmail.com
Fri Jul 21 06:45:36 EDT 2017
2017-07-21 12:02 GMT+02:00 Victor Stinner <victor.stinner at gmail.com>:
> https://bugs.python.org/issue29606
> http://python-security.readthedocs.io/vuln/urllib_ftp_protocol_stream_injection.html#urllib-ftp-protocol-stream-injection
> => not fixed yet
Ok, I more concrete problem. To fix the "urllib FTP" bug, we have to
find a balance between security (reject any URL looking like an
attempt to counter the security protections) and backward
compatibility (accept filenames containing newlines).
Maybe we need to only reject an URL which contains a newline in the
"host" part, but accept them in the "path" part of the URL? The
question is if the code splits correctly "host" and "path" parts when
the URL contains a newline. My bet is that no, it behaves badly :-)
Victor
More information about the Python-Dev
mailing list