This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author ned.deily
Recipients benjamin.peterson, cstratak, gregory.p.smith, jaraco, larry, lukasz.langa, martin.panter, miss-islington, ned.deily, orange, rschiron, serhiy.storchaka, vstinner, ware, xiang.zhang, xtreak
Date 2019-09-18.22:30:07
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1568845808.0.0.793103258914.issue30458@roundup.psfhosted.org>
In-reply-to
Content 
With the breaking out of the portential and/or actual regression (e.g. invalid requests can no longer be crafted) into Issue38216, itself a potential release blocker, we are still left here with the as-yet unresolved issue identified above in msg34728 (e.g. not checking for control characters in the "host" part of the URL, only the "path" part).  Since this also affects so many branches/releases and has external components (CVE's, third-party impacts), it probably would have made sense to break it out into a separate issue (and maybe it still does).  But since this problem has been present for many releases (apparently), I would rather not further hold the 3.7.5 release for a resolution (though that would be a good thing) so I'm going to change the priority for the moment to "deferred blocker".

But we need someone (preferably a core dev already involved) to take charge of this and push it to a resolution.  Thanks for everyone's help so far!
History
Date User Action Args
2019-09-18 22:30:08ned.deilysetrecipients: + ned.deily, gregory.p.smith, jaraco, vstinner, larry, benjamin.peterson, lukasz.langa, martin.panter, serhiy.storchaka, xiang.zhang, cstratak, orange, miss-islington, xtreak, ware, rschiron
2019-09-18 22:30:07ned.deilysetmessageid: <1568845808.0.0.793103258914.issue30458@roundup.psfhosted.org>
2019-09-18 22:30:07ned.deilylinkissue30458 messages
2019-09-18 22:30:07ned.deilycreate