This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author steve.dower
Recipients Joel Croteau, christian.heimes, docs@python, eric.smith, gc2, lukasz.langa, ncoghlan, ned.deily, pmoody, serhiy.storchaka, steve.dower, vstinner
Date 2021-04-03.16:41:45
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1617468105.24.0.540299420197.issue36384@roundup.psfhosted.org>
In-reply-to
Content 
(Copied from my comment on the PR, following the one where I said this was ready to go.)

Withdrawing the readiness - @ambv and I would prefer to see this behind a flag (probably "strict" parsing), on by default for 3.10, and maybe on by default for 3.9/earlier.

The main reasoning being that this isn't our vulnerability, but an inconsistency with other vulnerable libraries. The current fix is the best it can be, but it doesn't prevent the vulnerability, it just causes Python to break first. So it ought to be relatively easy to retain the flexible (though admittedly non-sensical) behaviour for those who currently rely on it.
History
Date User Action Args
2021-04-03 16:41:45steve.dowersetrecipients: + steve.dower, ncoghlan, vstinner, eric.smith, christian.heimes, ned.deily, pmoody, docs@python, lukasz.langa, serhiy.storchaka, Joel Croteau, gc2
2021-04-03 16:41:45steve.dowersetmessageid: <1617468105.24.0.540299420197.issue36384@roundup.psfhosted.org>
2021-04-03 16:41:45steve.dowerlinkissue36384 messages
2021-04-03 16:41:45steve.dowercreate