This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients gregory.p.smith, martin.panter, orange, serhiy.storchaka, vstinner, ware, xiang.zhang, xtreak
Date 2019-04-17.15:32:36
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1555515157.08.0.273896162163.issue30458@roundup.psfhosted.org>
In-reply-to
Content 
It seems like a change has been pushed into urllib3 to fix this issue, but that there is an issue with international URLs and that maybe RFC 3986 should be updated.

RFC 3986: "Uniform Resource Identifier (URI): Generic Syntax" (January 2005)
https://www.ietf.org/rfc/rfc3986.txt

"Without #1531 or IRI support in rfc3986 releasing master in it's current state will break backwards compatibility with international URLs."

https://github.com/urllib3/urllib3/issues/1553#issuecomment-474046652

=> where 1531 means https://github.com/urllib3/urllib3/pull/1531

"wave Hi! I've noticed that CVE-2019-11236 has been assigned to the CRLF injection issue described here. It seems that the library has been patched in GitHub, but no new release has been made to pypi. Will a new release containing the fix be made to pypi soon? Based on @theacodes comment it seems like a release was going to be made, but I also see her status has her perhaps unavailable. Is someone else perhaps able to cut a new release into pypi?"

https://github.com/urllib3/urllib3/issues/1553#issuecomment-484113222
History
Date User Action Args
2019-04-17 15:32:37vstinnersetrecipients: + vstinner, gregory.p.smith, martin.panter, serhiy.storchaka, xiang.zhang, orange, xtreak, ware
2019-04-17 15:32:37vstinnersetmessageid: <1555515157.08.0.273896162163.issue30458@roundup.psfhosted.org>
2019-04-17 15:32:37vstinnerlinkissue30458 messages
2019-04-17 15:32:36vstinnercreate