ecbftw added the comment: > What is wrong with an URL containing '\n'? I suppose that when format a > request with a text protocol, embedded '\n' can split the request line on two > lines and inject a new command. The most robust way would be to check whether > the formatted line contains '\n', '\r', '\0' or other illegal characters.
I agree, there's nothing wrong with an encoded line feed (%0a) in a URL. HTTP can easily handle '\n' in a basic auth password field, for instance. The problem is when these characters are included in a context where they are interpreted as a delimiter of some kind. In FTP's case, they are being interpreted as the delimiter between commands. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue29606> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com