Message 392926 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	sethmlarson
Recipients	Mike.Lissner, gregory.p.smith, lukasz.langa, mgorny, miss-islington, orsenthil, sethmlarson, xtreak
Date	2021-05-04.17:26:45
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1620149205.21.0.699731037727.issue43882@roundup.psfhosted.org>
In-reply-to

Content
Leaving a thought here, I'm highlighting that we're now implementing two different standards, RFC 3986 with hints of WHATWG-URL. There are pitfalls to doing so as now a strict URL parser for RFC 3986 (like the one used by urllib3/requests) will give different results compared to Python and thus opens up the door for SSRF vulnerabilities [1]. [1]: https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf

Leaving a thought here, I'm highlighting that we're now implementing two different standards, RFC 3986 with hints of WHATWG-URL. There are pitfalls to doing so as now a strict URL parser for RFC 3986 (like the one used by urllib3/requests) will give different results compared to Python and thus opens up the door for SSRF vulnerabilities [1].

[1]: https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf

History
Date	User	Action	Args
2021-05-04 17:26:45	sethmlarson	set	recipients: + sethmlarson, gregory.p.smith, orsenthil, lukasz.langa, mgorny, Mike.Lissner, miss-islington, xtreak
2021-05-04 17:26:45	sethmlarson	set	messageid: <1620149205.21.0.699731037727.issue43882@roundup.psfhosted.org>
2021-05-04 17:26:45	sethmlarson	link	issue43882 messages
2021-05-04 17:26:45	sethmlarson	create