This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author mgorny
Recipients Mike.Lissner, gregory.p.smith, lukasz.langa, mgorny, miss-islington, orsenthil, sethmlarson, xtreak
Date 2021-05-05.09:11:34
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
In my opinion, raising an exception would have been safer.

Botocore and django do precisely what you say — provide a validator.  To make this validator easier, they do the validation on splitted up URL parts.

I disagree with the premise that they were stupid to rely on invalid data being passed through.  I could understand if the function started rejecting invalid data.  But until now, you could reasonably assume that urlsplit()'s output would correspond to its input.  Making the output 'sanitized' means that invalid input is converted into valid output.  This goes against the principle of least surprise.

In the end, this opens us potential vulnerabilities in other packages.  Imagine that something uses urlsplit() to perform the URL validation but uses the original URL elsewhere.  By making the validation happen on a sanitized URL, you're effectively disarming the validator and letting bad URL through.

Security is not only about fixing potential problems with your package.  It's also about considering the consequences to your users.  In this case, the chosen solution may actually open more vulnerabilities that it fixes.  What's even worse, you're actively harming security in projects that actually attempted to solve the same problem earlier.
Date User Action Args
2021-05-05 09:11:34mgornysetrecipients: + mgorny, gregory.p.smith, orsenthil, lukasz.langa, Mike.Lissner, miss-islington, xtreak, sethmlarson
2021-05-05 09:11:34mgornysetmessageid: <>
2021-05-05 09:11:34mgornylinkissue43882 messages
2021-05-05 09:11:34mgornycreate