This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients christian.heimes, corona10, ecbftw, giampaolo.rodola, martin.panter, serhiy.storchaka, supl, vstinner
Date 2017-07-21.10:42:54
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1500633775.28.0.205567236487.issue29606@psf.upfronthosting.co.za>
In-reply-to
Content 
Since corona10 abandonned his https://github.com/python/cpython/pull/1216 I created a new PR:
https://github.com/python/cpython/pull/2800

I chose to only reject newline (\n): "\r" and "\0" are not rejected.

My PR rejects any URL containing "\n", even if the newline is part of the "path" part of the URL. While I expect that filenames containing newlines are very rare, my PR is an incompatible change which breaks such use case :-(

I don't know where is the balanace between security and backward compatibility... I started a thread on python-dev:
https://mail.python.org/pipermail/python-dev/2017-July/148699.html
History
Date User Action Args
2017-07-21 10:42:55vstinnersetrecipients: + vstinner, giampaolo.rodola, christian.heimes, martin.panter, serhiy.storchaka, ecbftw, supl, corona10
2017-07-21 10:42:55vstinnersetmessageid: <1500633775.28.0.205567236487.issue29606@psf.upfronthosting.co.za>
2017-07-21 10:42:55vstinnerlinkissue29606 messages
2017-07-21 10:42:54vstinnercreate