[Python-Dev] Need help to fix urllib(.parse) vulnerabilities

Giampaolo Rodola' g.rodola at gmail.com
Sat Jul 22 13:29:37 EDT 2017


On Sat, Jul 22, 2017 at 7:10 PM, Giampaolo Rodola' <g.rodola at gmail.com>
wrote:

>
>
> On Sat, Jul 22, 2017 at 6:38 PM, Victor Stinner <victor.stinner at gmail.com>
> wrote:
>
>> Le 22 juil. 2017 8:04 AM, "Serhiy Storchaka" <storchaka at gmail.com> a
>> écrit :
>>
>> I think the only reliable way of fixing the vulnerability is rejecting or
>> escaping (as specified in RFC 2640) CR and LF inside sent lines. Adding the
>> support of RFC 2640 is a new feature and can be added only in 3.7. And this
>> feature should be optional since not all servers support RFC 2640.
>> https://github.com/python/cpython/pull/1214 does the right thing.
>>
>>
>> In that case, I suggest to reject newlines in ftplib, and maybe add an
>> opt-in option to escape newlines.
>>
>> Java just rejected newlines, no? Or does Java allows to escape them?
>>
>> Victor
>>
>>
> OK, let's just reject \n then and be done with it. It's a rare use case
> after all.
> Java just rejects \n for all commands and does not support escaping (aka
> RFC 2640).
>

I've just merged the PR. There's the question whether to backport this to
older versions, considering there's a small chance this may break some
code/apps, but considering the chance is small and this a security fix I'd
probably be +0.5 for backporting it (2.7 + 3.x - not sure up 'till when).

-- 
Giampaolo - http://grodola.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20170722/5867e29f/attachment.html>


More information about the Python-Dev mailing list