I agree with Jörg. We need evidence of problems before we decide to act, and that those problems aren’t being addressed in Python. Forcing a new dependency on all users is not something we’d do lightly.
On the contradictory standards, see the cURL maintainer’s post: https://daniel.haxx.se/blog/2022/10/18/deviating-from-specs/ . > Anyhow, just out of curiosity, wouldn't it be possible to use > functools.partial function to replace urllib.parse.urlparse with ada-python > in settings.py? Or make some kind of django extension that integrates this > other dependency? It should always be possible to create and use custom classes that use ada, such as an alternative URL field. On Mon, 1 Apr 2024, at 23:45, Jörg Breitbart wrote: > You write: > > "It could still be a vulnerability ... / It could fail to parse ... / > could decide it's invalid - This is all pretty bad..." > > I agree - this indeed would be really bad, if it can be used in > malicious ways. But note that the fact that django or an upstream lib > decided to slightly deviate from the latest URL parsing spec incarnation > does not make it vulnerable per se. URL specs (or URI in general) used > to contradict itself across various RFCs, so there is some ground of > interpretation and which rules to follow in an implementation. Also > django has to maintain backwards compat to some degree, and introducing > a foreign c++ lib binding in its default installation is a very bold move. > > Anything into this direction needs proper justification and not just > handwaving arguments (FUD?), unless there actually is a real > vulnerability with the current impl. > > Cheers, > Jörg > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com > <mailto:django-developers%2bunsubscr...@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/726fce28-2273-4672-8e00-f8619b95b0d9%40netzkolchose.de. > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/d97f33e2-5ac5-4ee5-8850-8b8cda3dc8b0%40app.fastmail.com.
