Author sethmlarson
Recipients Mike.Lissner, gregory.p.smith, lukasz.langa, mgorny, miss-islington, orsenthil, sethmlarson, xtreak
Date 2021-05-04.17:26:45
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1620149205.21.0.699731037727.issue43882@roundup.psfhosted.org>
In-reply-to
Content
Leaving a thought here, I'm highlighting that we're now implementing two different standards, RFC 3986 with hints of WHATWG-URL. There are pitfalls to doing so as now a strict URL parser for RFC 3986 (like the one used by urllib3/requests) will give different results compared to Python and thus opens up the door for SSRF vulnerabilities [1].

[1]: https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf
History
Date User Action Args
2021-05-04 17:26:45sethmlarsonsetrecipients: + sethmlarson, gregory.p.smith, orsenthil, lukasz.langa, mgorny, Mike.Lissner, miss-islington, xtreak
2021-05-04 17:26:45sethmlarsonsetmessageid: <1620149205.21.0.699731037727.issue43882@roundup.psfhosted.org>
2021-05-04 17:26:45sethmlarsonlinkissue43882 messages
2021-05-04 17:26:45sethmlarsoncreate