[Python-Dev] Need help to fix urllib(.parse) vulnerabilities
Giampaolo Rodola'
g.rodola at gmail.com
Sat Jul 22 13:10:15 EDT 2017
On Sat, Jul 22, 2017 at 6:38 PM, Victor Stinner <victor.stinner at gmail.com>
wrote:
> Le 22 juil. 2017 8:04 AM, "Serhiy Storchaka" <storchaka at gmail.com> a
> écrit :
>
> I think the only reliable way of fixing the vulnerability is rejecting or
> escaping (as specified in RFC 2640) CR and LF inside sent lines. Adding the
> support of RFC 2640 is a new feature and can be added only in 3.7. And this
> feature should be optional since not all servers support RFC 2640.
> https://github.com/python/cpython/pull/1214 does the right thing.
>
>
> In that case, I suggest to reject newlines in ftplib, and maybe add an
> opt-in option to escape newlines.
>
> Java just rejected newlines, no? Or does Java allows to escape them?
>
> Victor
>
>
OK, let's just reject \n then and be done with it. It's a rare use case
after all.
Java just rejects \n for all commands and does not support escaping (aka
RFC 2640).
--
Giampaolo - http://grodola.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20170722/e360de38/attachment.html>
More information about the Python-Dev
mailing list