[Python-Dev] Need help to fix urllib(.parse) vulnerabilities (original) (raw)
Giampaolo Rodola' g.rodola at gmail.com
Sat Jul 22 13:10:15 EDT 2017
- Previous message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
- Next message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sat, Jul 22, 2017 at 6:38 PM, Victor Stinner <victor.stinner at gmail.com> wrote:
Le 22 juil. 2017 8:04 AM, "Serhiy Storchaka" <storchaka at gmail.com> a écrit :
I think the only reliable way of fixing the vulnerability is rejecting or escaping (as specified in RFC 2640) CR and LF inside sent lines. Adding the support of RFC 2640 is a new feature and can be added only in 3.7. And this feature should be optional since not all servers support RFC 2640. https://github.com/python/cpython/pull/1214 does the right thing.
In that case, I suggest to reject newlines in ftplib, and maybe add an opt-in option to escape newlines. Java just rejected newlines, no? Or does Java allows to escape them? Victor OK, let's just reject \n then and be done with it. It's a rare use case after all. Java just rejects \n for all commands and does not support escaping (aka RFC 2640).
-- Giampaolo - http://grodola.blogspot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20170722/e360de38/attachment.html>
- Previous message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
- Next message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]