Author barry
Recipients Arfrever, barry, jwilk, loewis, pl, r.david.murray, terry.reedy, vvl, ysj.ray
Date 2011-01-10.21:01:23
SpamBayes Score 4.69187e-08
Marked as misclassified No
Message-id <1294693295.87.0.945714514547.issue5871@psf.upfronthosting.co.za>
In-reply-to
Content
I'm inclined not to support backporting to Python 2.6.  It seems like a fairly rare and narrow hole for security problem, because it would require a program to add the bogus header explicitly, as opposed to getting it after parsing some data.  To me, that smacks of SQL-injection or XSS type bug, where it's really the application that's the problem.

Or in other words, assuming you don't have a program that is deliberately adding such headers (and then it should be considered a feature, i.e. they know what they're doing), then you'd have to trick a header-adding program to add some unvalidated text.

I dunno, it doesn't seem like a serious enough threat to backport.
History
Date User Action Args
2011-01-10 21:01:36barrysetrecipients: + barry, loewis, terry.reedy, jwilk, pl, Arfrever, r.david.murray, ysj.ray, vvl
2011-01-10 21:01:35barrysetmessageid: <1294693295.87.0.945714514547.issue5871@psf.upfronthosting.co.za>
2011-01-10 21:01:23barrylinkissue5871 messages
2011-01-10 21:01:23barrycreate