[Python-Dev] [ssl] The weird case of IDNA (original) (raw)
Steven D'Aprano steve at pearwood.info
Mon Jan 1 02:29:25 EST 2018
- Next message (by thread): [Python-Dev] [ssl] The weird case of IDNA
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sun, Dec 31, 2017 at 05:51:47PM -0800, Nathaniel Smith wrote:
On Sun, Dec 31, 2017 at 5:39 PM, Steven D'Aprano <steve at pearwood.info> wrote: > On Sun, Dec 31, 2017 at 09:07:01AM -0800, Nathaniel Smith wrote: > >> This is another reason why we ought to let users do their own IDNA handling >> if they want... > > I expect that letting users do their own IDNA handling will correspond > to not doing any IDNA handling at all.
You did see the words "if they want", right?
Yes. Its the people who don't know that they ought to handle IDNA that concern me. They would "want to" if they knew they ought to, but they don't because they never even thought of non-ASCII URLs and consequently they write libraries or applications open to IDNA security issues.
I'm not talking about removing the stdlib's default IDNA handling, I'm talking about fixing the cases where the stdlib goes out of its way to prevent users from overriding its IDNA handling.
That wasn't clear to me. I completely agree that the stdlib preventing people from overriding the IDNA is a bad thing that ought to be fixed, and that users should be able to opt out of it (presumably if they know enough to do that, they know enough to avoid IDNA vulnerabilities). I thought you meant it ought to be opt-in.
Sorry for misunderstanding you, but your wording suggested to me that you meant that the stdlib shouldn't do IDNA handling at all unless the user did it themselves (perhaps by calling an IDNA library in the std lib). I see now that's not what you meant.
-- Steve
- Next message (by thread): [Python-Dev] [ssl] The weird case of IDNA
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]