This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author gregory.p.smith
Recipients gregory.p.smith, martin.panter, orange, serhiy.storchaka, vstinner, ware, xiang.zhang, xtreak
Date 2019-05-01.02:18:09
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1556677089.89.0.195275491572.issue30458@roundup.psfhosted.org>
In-reply-to
Content 
backports to older releases will need to be done manually and take care depending on how much of a concern tightening the existing abusive lenient behavior of the http.client API to enforce what characters are allowed in URLs is to stable releases.

I question if this is _really_ worthy of a "security" tag and a CVE (thus its non-high ranking)... it is a bug in the calling program if it blindly uses untrusted data as a URL.  What this issue addresses is that we catch that more often and raise an error; a good thing to do for sure, but the stdlib should be the last line of defense.
History
Date User Action Args
2019-05-01 02:18:09gregory.p.smithsetrecipients: + gregory.p.smith, vstinner, martin.panter, serhiy.storchaka, xiang.zhang, orange, xtreak, ware
2019-05-01 02:18:09gregory.p.smithsetmessageid: <1556677089.89.0.195275491572.issue30458@roundup.psfhosted.org>
2019-05-01 02:18:09gregory.p.smithlinkissue30458 messages
2019-05-01 02:18:09gregory.p.smithcreate