Message 392995 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	mgorny
Recipients	Mike.Lissner, gregory.p.smith, lukasz.langa, mgorny, miss-islington, orsenthil, sethmlarson, xtreak
Date	2021-05-05.09:11:34
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1620205894.65.0.148193390131.issue43882@roundup.psfhosted.org>
In-reply-to

Content
In my opinion, raising an exception would have been safer. Botocore and django do precisely what you say — provide a validator. To make this validator easier, they do the validation on splitted up URL parts. I disagree with the premise that they were stupid to rely on invalid data being passed through. I could understand if the function started rejecting invalid data. But until now, you could reasonably assume that urlsplit()'s output would correspond to its input. Making the output 'sanitized' means that invalid input is converted into valid output. This goes against the principle of least surprise. In the end, this opens us potential vulnerabilities in other packages. Imagine that something uses urlsplit() to perform the URL validation but uses the original URL elsewhere. By making the validation happen on a sanitized URL, you're effectively disarming the validator and letting bad URL through. Security is not only about fixing potential problems with your package. It's also about considering the consequences to your users. In this case, the chosen solution may actually open more vulnerabilities that it fixes. What's even worse, you're actively harming security in projects that actually attempted to solve the same problem earlier.

In my opinion, raising an exception would have been safer.

Botocore and django do precisely what you say — provide a validator.  To make this validator easier, they do the validation on splitted up URL parts.

I disagree with the premise that they were stupid to rely on invalid data being passed through.  I could understand if the function started rejecting invalid data.  But until now, you could reasonably assume that urlsplit()'s output would correspond to its input.  Making the output 'sanitized' means that invalid input is converted into valid output.  This goes against the principle of least surprise.

In the end, this opens us potential vulnerabilities in other packages.  Imagine that something uses urlsplit() to perform the URL validation but uses the original URL elsewhere.  By making the validation happen on a sanitized URL, you're effectively disarming the validator and letting bad URL through.

Security is not only about fixing potential problems with your package.  It's also about considering the consequences to your users.  In this case, the chosen solution may actually open more vulnerabilities that it fixes.  What's even worse, you're actively harming security in projects that actually attempted to solve the same problem earlier.

History
Date	User	Action	Args
2021-05-05 09:11:34	mgorny	set	recipients: + mgorny, gregory.p.smith, orsenthil, lukasz.langa, Mike.Lissner, miss-islington, xtreak, sethmlarson
2021-05-05 09:11:34	mgorny	set	messageid: <1620205894.65.0.148193390131.issue43882@roundup.psfhosted.org>
2021-05-05 09:11:34	mgorny	link	issue43882 messages
2021-05-05 09:11:34	mgorny	create