[Python-Dev] Need help to fix urllib(.parse) vulnerabilities
Victor Stinner
victor.stinner at gmail.com
Sat Jul 22 12:38:16 EDT 2017
Le 22 juil. 2017 8:04 AM, "Serhiy Storchaka" <storchaka at gmail.com> a écrit :
I think the only reliable way of fixing the vulnerability is rejecting or
escaping (as specified in RFC 2640) CR and LF inside sent lines. Adding the
support of RFC 2640 is a new feature and can be added only in 3.7. And this
feature should be optional since not all servers support RFC 2640.
https://github.com/python/cpython/pull/1214 does the right thing.
In that case, I suggest to reject newlines in ftplib, and maybe add an
opt-in option to escape newlines.
Java just rejected newlines, no? Or does Java allows to escape them?
Victor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20170722/a5d24e7c/attachment.html>
More information about the Python-Dev
mailing list