On Tue, Apr 9, 2019 at 4:45 PM Karthikeyan <tir.kar...@gmail.com> wrote:
> I would recommend fixing it since it's potentially remote code execution > on systems like Redis (latest versions of Redis have this mitigated) though > I must admit I don't fully understand the complexity since there are > multiple issues linked. Go was also assigned a CVE for linked issue and it > seemed to be the same reporter by username : CVE-2019-9741 . I tried using > go's approach in the commit but urlopen accepts more URLs like data URLs > [0] that seemed to accept \n as a valid case and the patch broke some > tests. Looking at the issue discussion complexity also involves backwards > compatibility. golang also pushed an initial fix that seemed to broke their > internal tests [0] to arrive at a more simpler fix. > > [0] > https://github.com/python/cpython/blob/a40681dd5db8deaf05a635eecb91498dac882aa4/Lib/test/test_urllib.py#L482 > [1] > https://go-review.googlesource.com/c/go/+/159157/2#message-39c6be13a192bf760f6318ac641b432a6ab8fdc8 > > -- > Regards, > Karthikeyan S > useful references, thanks! limiting the checks to only http and https as those are the text based protocols with urls transmitted in text form makes sense and avoids the data: test failures. proposed simple fix in https://github.com/python/cpython/pull/12755 but tests are needed as is an audit of the code to see where else we may potentially need to do such things. -gps
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
