[Python-Dev] [ssl] The weird case of IDNA
steve at pearwood.info
Mon Jan 1 02:29:25 EST 2018
On Sun, Dec 31, 2017 at 05:51:47PM -0800, Nathaniel Smith wrote:
> On Sun, Dec 31, 2017 at 5:39 PM, Steven D'Aprano <steve at pearwood.info> wrote:
> > On Sun, Dec 31, 2017 at 09:07:01AM -0800, Nathaniel Smith wrote:
> >> This is another reason why we ought to let users do their own IDNA handling
> >> if they want...
> > I expect that letting users do their own IDNA handling will correspond
> > to not doing any IDNA handling at all.
> You did see the words "if they want", right?
Yes. Its the people who don't know that they ought to handle IDNA that
concern me. They would "want to" if they knew they ought to, but they
don't because they never even thought of non-ASCII URLs and consequently
they write libraries or applications open to IDNA security issues.
> I'm not talking about
> removing the stdlib's default IDNA handling, I'm talking about fixing
> the cases where the stdlib goes out of its way to prevent users from
> overriding its IDNA handling.
That wasn't clear to me. I completely agree that the stdlib preventing
people from overriding the IDNA is a bad thing that ought to be fixed,
and that users should be able to opt out of it (presumably if they know
enough to do that, they know enough to avoid IDNA vulnerabilities). I
thought you meant it ought to be opt-in.
Sorry for misunderstanding you, but your wording suggested to me that
you meant that the stdlib shouldn't do IDNA handling at all unless the
user did it themselves (perhaps by calling an IDNA library in the std
lib). I see now that's not what you meant.
More information about the Python-Dev