Hi, The Python bug tracker currently has 78 open issues of the type Security. If you are looking for something to do to help the Python project, please go through the list (search for open issues with Type=security at bugs.python.org), discuss the different solutions how to address these vulnerabilities, and maybe even propose a fix.
Here are some examples. == tarfile == For example, the tarfile module has a known directory traversal vulnerability (unsafe by default), whereas the GNU tar command is fixed: the -P/--absolute-names option must be used explicitly to get the unsafe behavior. I suggest to make the Python tarfile module safe by default, and add an option to allow absolute paths. Issue reported 7 years ago: https://bugs.python.org/issue21109 == webbrowser == Another example, on Windows, the webbrowser seems be has a shell command injection vulnerability, reported 2 years ago: https://bugs.python.org/issue36021 == XML == Python XML parsers have at least two known vulnerabilities: "billion laughs" and "quadratic blowup" which are documented: https://docs.python.org/dev/library/xml.html#xml-vulnerabilities The third party defusedxml module address these vulnerabilities: https://pypi.org/project/defusedxml/ But Python remains unsafe by default, issue reported 8 years ago: https://bugs.python.org/issue17239 == tempfile == The tempfile library does not check the prefix argument, which can be exploited to create files outside tmpdir by using directory traversal. Issue reported 3 years ago: https://bugs.python.org/issue35278 The same issue was found and treated as a vulnerability in PHP (CVE-2006-1494) and Ruby (CVE-2018-6914). == Issues involving URLs == There are multiple issues involving URLs: "ReDoS in urllib.request" https://bugs.python.org/issue43075 "http.server: Open Redirection if the URL path starts with //" https://bugs.python.org/issue43223 "urlparse of urllib returns wrong hostname" https://bugs.python.org/issue36338 "[CVE-2015-2104] Urlparse insufficient validation leads to open redirect" https://bugs.python.org/issue23505 "urlparse library detecting wrong hostname leads to open redirect vulnerability" https://bugs.python.org/issue35748 "http.server can be abused to redirect to (almost) arbitrary URL" https://bugs.python.org/issue32084 "urllib may leak sensitive HTTP headers to a third-party web site" https://bugs.python.org/issue33661 "Unnecessary URL scheme exists to allow 'URL: reading file in urllib" https://bugs.python.org/issue37820 "A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! " https://bugs.python.org/issue32085 Happy hacking! Victor -- Night gathers, and now my watch begins. It shall not end until my death. _______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/PHHQXJYDFWBIKBAHTVATHBL5DO3ER3BE/ Code of Conduct: http://python.org/psf/codeofconduct/
