Message 298796 - Python tracker

Message298796

Author	vstinner
Recipients	christian.heimes, corona10, ecbftw, giampaolo.rodola, martin.panter, serhiy.storchaka, supl, vstinner
Date	2017-07-21.10:42:54
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1500633775.28.0.205567236487.issue29606@psf.upfronthosting.co.za>
In-reply-to

Content
Since corona10 abandonned his https://github.com/python/cpython/pull/1216 I created a new PR: https://github.com/python/cpython/pull/2800 I chose to only reject newline (\n): "\r" and "\0" are not rejected. My PR rejects any URL containing "\n", even if the newline is part of the "path" part of the URL. While I expect that filenames containing newlines are very rare, my PR is an incompatible change which breaks such use case :-( I don't know where is the balanace between security and backward compatibility... I started a thread on python-dev: https://mail.python.org/pipermail/python-dev/2017-July/148699.html

Content

Since corona10 abandonned his https://github.com/python/cpython/pull/1216 I created a new PR:
https://github.com/python/cpython/pull/2800

I chose to only reject newline (\n): "\r" and "\0" are not rejected.

My PR rejects any URL containing "\n", even if the newline is part of the "path" part of the URL. While I expect that filenames containing newlines are very rare, my PR is an incompatible change which breaks such use case :-(

I don't know where is the balanace between security and backward compatibility... I started a thread on python-dev:
https://mail.python.org/pipermail/python-dev/2017-July/148699.html

History
Date	User	Action	Args
2017-07-21 10:42:55	vstinner	set	recipients: + vstinner, giampaolo.rodola, christian.heimes, martin.panter, serhiy.storchaka, ecbftw, supl, corona10
2017-07-21 10:42:55	vstinner	set	messageid: <1500633775.28.0.205567236487.issue29606@psf.upfronthosting.co.za>
2017-07-21 10:42:55	vstinner	link	issue29606 messages
2017-07-21 10:42:54	vstinner	create