[issue30458] [security][CVE-2019-9740][CVE-2019-9947] HTTP Header Injection (follow-up of CVE-2016-5699)
STINNER Victor
report at bugs.python.org
Wed Apr 10 18:05:48 EDT 2019
STINNER Victor <vstinner at redhat.com> added the comment:
> Will this break something in the world other than our own test_xmlrpc test? Probably. Do they have a right to complain about it? Not one we need listen to.
I understand. But. Can we consider that for old Python versions like Python 2.7 and 3.5?
This change will be applied to all supported Python versions.
I recall that when Python 2.7 started to validate TLS certificate, the change broke some applications. Are these applications badly written? Yes! But well, "it worked well before". Sometimes, when you work in a private network, the security matters less, whereas it might be very expensive to fix a legacy application. At Red Hat, we developed a solution to let customers to opt-out from this fix (to no validate TLS certificates), because it is just too expensive for customers to fix their legacy code but they would like to be able to upgrade RHEL.
One option to not validate URLs is to downgrade Python, but I'm not sure that it's the best compromise :-/
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue30458>
_______________________________________
More information about the Python-bugs-list
mailing list