[Python-Dev] Need help to fix urllib(.parse) vulnerabilities (original) (raw)
Victor Stinner victor.stinner at gmail.com
Fri Jul 21 06:45:36 EDT 2017
- Previous message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
- Next message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
2017-07-21 12:02 GMT+02:00 Victor Stinner <victor.stinner at gmail.com>:
https://bugs.python.org/issue29606 http://python-security.readthedocs.io/vuln/urllibftpprotocolstreaminjection.html#urllib-ftp-protocol-stream-injection => not fixed yet
Ok, I more concrete problem. To fix the "urllib FTP" bug, we have to find a balance between security (reject any URL looking like an attempt to counter the security protections) and backward compatibility (accept filenames containing newlines).
Maybe we need to only reject an URL which contains a newline in the "host" part, but accept them in the "path" part of the URL? The question is if the code splits correctly "host" and "path" parts when the URL contains a newline. My bet is that no, it behaves badly :-)
Victor
- Previous message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
- Next message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]