[issue36274] http.client cannot send non-ASCII request lines
Sviatoslav Sydorenko
report at bugs.python.org
Wed Sep 18 09:05:58 EDT 2019
Sviatoslav Sydorenko <svyatoslav at sydorenko.org.ua> added the comment:
@xtreak the encoded null-byte test would be an extra test case to consider. It is reasonable to test as many known invalid sequences as possible. Changing that byte to encoded notation would just replace one test with another effectively changing the semantics of it.
To me, it's quite weird that it's considered a CVE at all: it's happening on the client side and it doesn't prevent the user from just feeding the proper bytes right into the socket so why overcomplicate things?
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue36274>
_______________________________________
More information about the Python-bugs-list
mailing list