Message341175
backports to older releases will need to be done manually and take care depending on how much of a concern tightening the existing abusive lenient behavior of the http.client API to enforce what characters are allowed in URLs is to stable releases.
I question if this is _really_ worthy of a "security" tag and a CVE (thus its non-high ranking)... it is a bug in the calling program if it blindly uses untrusted data as a URL. What this issue addresses is that we catch that more often and raise an error; a good thing to do for sure, but the stdlib should be the last line of defense. |
|
Date |
User |
Action |
Args |
2019-05-01 02:18:09 | gregory.p.smith | set | recipients:
+ gregory.p.smith, vstinner, martin.panter, serhiy.storchaka, xiang.zhang, orange, xtreak, ware |
2019-05-01 02:18:09 | gregory.p.smith | set | messageid: <1556677089.89.0.195275491572.issue30458@roundup.psfhosted.org> |
2019-05-01 02:18:09 | gregory.p.smith | link | issue30458 messages |
2019-05-01 02:18:09 | gregory.p.smith | create | |
|