STINNER Victor added the comment: Since corona10 abandonned his https://github.com/python/cpython/pull/1216 I created a new PR: https://github.com/python/cpython/pull/2800
I chose to only reject newline (\n): "\r" and "\0" are not rejected. My PR rejects any URL containing "\n", even if the newline is part of the "path" part of the URL. While I expect that filenames containing newlines are very rare, my PR is an incompatible change which breaks such use case :-( I don't know where is the balanace between security and backward compatibility... I started a thread on python-dev: https://mail.python.org/pipermail/python-dev/2017-July/148699.html ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue29606> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com