Message 346980 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	alex, christian.heimes, dstufft, janssen, lukasz.langa, ned.deily, vstinner
Date	2019-07-01.08:55:28
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1561971328.54.0.47490834861.issue37463@roundup.psfhosted.org>
In-reply-to

Content
> It's a potential security bug although low severity. What is the worst that can happen with this issue? Other the client doesn't validate the cert at all, and so this issue has no impact, or the client validates the cert and trusts the CA, but the host isn't fully validated... Ok, but could someone abuse "1.1.1.1 ; this should not work but does"? Does a web browser accept such hostname? Or can it be used to inject SQL or a shell command for example?

> It's a potential security bug although low severity.

What is the worst that can happen with this issue?

Other the client doesn't validate the cert at all, and so this issue has no impact, or the client validates the cert and trusts the CA, but the host isn't fully validated... Ok, but could someone abuse "1.1.1.1 ; this should not work but does"? Does a web browser accept such hostname? Or can it be used to inject SQL or a shell command for example?

History
Date	User	Action	Args
2019-07-01 08:55:28	vstinner	set	recipients: + vstinner, janssen, christian.heimes, ned.deily, alex, lukasz.langa, dstufft
2019-07-01 08:55:28	vstinner	set	messageid: <1561971328.54.0.47490834861.issue37463@roundup.psfhosted.org>
2019-07-01 08:55:28	vstinner	link	issue37463 messages
2019-07-01 08:55:28	vstinner	create