New submission from Michael Mulich <michael.mul...@gmail.com>: The packaging.pypi.simple.Crawler blindly follows external download URLs. The crawler should honor a list of allowed hosts (see also the hosts parameter) before attempting to download from an external source.
Éric Araujo has also pointed out that established tools like easy_install and pip provide ways of allowing/restricting by host. ---------- assignee: tarek components: Distutils2 messages: 138663 nosy: alexis, eric.araujo, michael.mulich, tarek priority: normal severity: normal status: open title: packaging.pypi.simple.Crawler assumes external download links are ok to follow type: behavior versions: Python 3.3 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue12368> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com