[Python-Dev] [ssl] The weird case of IDNA

Steven D'Aprano steve at pearwood.info
Mon Jan 1 02:29:25 EST 2018

On Sun, Dec 31, 2017 at 05:51:47PM -0800, Nathaniel Smith wrote:
> On Sun, Dec 31, 2017 at 5:39 PM, Steven D'Aprano <steve at pearwood.info> wrote:
> > On Sun, Dec 31, 2017 at 09:07:01AM -0800, Nathaniel Smith wrote:
> >
> >> This is another reason why we ought to let users do their own IDNA handling
> >> if they want...
> >
> > I expect that letting users do their own IDNA handling will correspond
> > to not doing any IDNA handling at all.
> You did see the words "if they want", right?

Yes. Its the people who don't know that they ought to handle IDNA that 
concern me. They would "want to" if they knew they ought to, but they 
don't because they never even thought of non-ASCII URLs and consequently 
they write libraries or applications open to IDNA security issues.

> I'm not talking about
> removing the stdlib's default IDNA handling, I'm talking about fixing
> the cases where the stdlib goes out of its way to prevent users from
> overriding its IDNA handling.

That wasn't clear to me. I completely agree that the stdlib preventing 
people from overriding the IDNA is a bad thing that ought to be fixed, 
and that users should be able to opt out of it (presumably if they know 
enough to do that, they know enough to avoid IDNA vulnerabilities). I 
thought you meant it ought to be opt-in.

Sorry for misunderstanding you, but your wording suggested to me that 
you meant that the stdlib shouldn't do IDNA handling at all unless the 
user did it themselves (perhaps by calling an IDNA library in the std 
lib). I see now that's not what you meant.


More information about the Python-Dev mailing list