I consider that it is a security vulneraibility and so should be fixed in
all supported branches including 3.3 and 3.4.
If someone is blocked for a legit usecase, an old Python version can be
used until we decide how to handle it.
I concur with you, I don't think that anyone uses filenames contai
On Sat, Jul 22, 2017 at 7:10 PM, Giampaolo Rodola'
wrote:
>
>
> On Sat, Jul 22, 2017 at 6:38 PM, Victor Stinner
> wrote:
>
>> Le 22 juil. 2017 8:04 AM, "Serhiy Storchaka" a
>> écrit :
>>
>> I think the only reliable way of fixing the vulnerability is rejecting or
>> escaping (as specified in RF
On Sat, Jul 22, 2017 at 6:38 PM, Victor Stinner
wrote:
> Le 22 juil. 2017 8:04 AM, "Serhiy Storchaka" a
> écrit :
>
> I think the only reliable way of fixing the vulnerability is rejecting or
> escaping (as specified in RFC 2640) CR and LF inside sent lines. Adding the
> support of RFC 2640 is a
Le 22 juil. 2017 8:04 AM, "Serhiy Storchaka" a écrit :
I think the only reliable way of fixing the vulnerability is rejecting or
escaping (as specified in RFC 2640) CR and LF inside sent lines. Adding the
support of RFC 2640 is a new feature and can be added only in 3.7. And this
feature should b
21.07.17 13:02, Victor Stinner пише:
Recently, two security vulnerabilities were reported in the urllib module:
https://bugs.python.org/issue30500
http://python-security.readthedocs.io/vuln/bpo-30500_urllib_connects_to_a_wrong_host.html#bpo-30500-urllib-connects-to-a-wrong-host
=> already fixed
> On Jul 21, 2017, at 3:45 AM, Victor Stinner wrote:
>
> Ok, I more concrete problem. To fix the "urllib FTP" bug, we have to
> find a balance between security (reject any URL looking like an
> attempt to counter the security protections) and backward
> compatibility (accept filenames containing
On Fri, Jul 21, 2017, at 08:43, Giampaolo Rodola' wrote:
> It took me a while to understand the security implications of this
> FTP-related bug, but I believe I got the gist of it here (I can
> elaborate further if it's not clear):
> https://github.com/python/cpython/pull/1214#issuecomment-29839316
On Fri, Jul 21, 2017 at 12:45 PM, Victor Stinner
wrote:
> 2017-07-21 12:02 GMT+02:00 Victor Stinner :
> > https://bugs.python.org/issue29606
> > http://python-security.readthedocs.io/vuln/urllib_
> ftp_protocol_stream_injection.html#urllib-ftp-protocol-stream-injection
> > => not fixed yet
>
> Ok
2017-07-21 12:02 GMT+02:00 Victor Stinner :
> https://bugs.python.org/issue29606
> http://python-security.readthedocs.io/vuln/urllib_ftp_protocol_stream_injection.html#urllib-ftp-protocol-stream-injection
> => not fixed yet
Ok, I more concrete problem. To fix the "urllib FTP" bug, we have to
find
