You write:
"It could still be a vulnerability ... / It could fail to parse ... /
could decide it's invalid - This is all pretty bad..."
I agree - this indeed would be really bad, if it can be used in
malicious ways. But note that the fact that django or an upstream lib
decided to slightly deviate from the latest URL parsing spec incarnation
does not make it vulnerable per se. URL specs (or URI in general) used
to contradict itself across various RFCs, so there is some ground of
interpretation and which rules to follow in an implementation. Also
django has to maintain backwards compat to some degree, and introducing
a foreign c++ lib binding in its default installation is a very bold move.
Anything into this direction needs proper justification and not just
handwaving arguments (FUD?), unless there actually is a real
vulnerability with the current impl.
Cheers,
Jörg
--
You received this message because you are subscribed to the Google Groups "Django
developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/726fce28-2273-4672-8e00-f8619b95b0d9%40netzkolchose.de.
