[Python-Dev] Need help to fix urllib(.parse) vulnerabilities
Raymond Hettinger
raymond.hettinger at gmail.com
Fri Jul 21 15:32:43 EDT 2017
> On Jul 21, 2017, at 3:45 AM, Victor Stinner <victor.stinner at gmail.com> wrote:
>
> Ok, I more concrete problem. To fix the "urllib FTP" bug, we have to
> find a balance between security (reject any URL looking like an
> attempt to counter the security protections) and backward
> compatibility (accept filenames containing newlines).
For this case, the balance should probably tilt more towards security than backwards compatibility. I would be very concerned about such odd URLs.
That said, if backwards compatibility is going to be broken, consider giving users a temporary, clean way to opt-out of the additional projections (don't want to leave them high and dry if they happen to have a legitimate use case).
Raymond
More information about the Python-Dev
mailing list