Message 341286 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	xtreak
Recipients	gregory.p.smith, martin.panter, miss-islington, orange, serhiy.storchaka, vstinner, ware, xiang.zhang, xtreak
Date	2019-05-02.16:58:19
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1556816300.15.0.353892978786.issue30458@roundup.psfhosted.org>
In-reply-to

Content
IMO it does qualify as a security issue. In case of urllib to be lenient and can be exploited it's good to document like tarfile and xml modules that have a warning about untrusted data potentially causing issues and perhaps link to a url validator that adheres to RFC in pypi. I would expect stdlib to handle this but in case it's not handled due to backwards compatibility and potential regressions a warning could be made about the same in the docs noting down the responsibility of the functions and that they are not always safe against malicious data.

IMO it does qualify as a security issue. In case of urllib to be lenient and can be exploited it's good to document like tarfile and xml modules that have a warning about untrusted data potentially causing issues and perhaps link to a url validator that adheres to RFC in pypi. I would expect stdlib to handle this but in case it's not handled due to backwards compatibility and potential regressions a warning could be made about the same in the docs noting down the responsibility of the functions and that they are not always safe against malicious data.

History
Date	User	Action	Args
2019-05-02 16:58:20	xtreak	set	recipients: + xtreak, gregory.p.smith, vstinner, martin.panter, serhiy.storchaka, xiang.zhang, orange, miss-islington, ware
2019-05-02 16:58:20	xtreak	set	messageid: <1556816300.15.0.353892978786.issue30458@roundup.psfhosted.org>
2019-05-02 16:58:20	xtreak	link	issue30458 messages
2019-05-02 16:58:19	xtreak	create