On 2017-12-30 13:19, Skip Montanaro wrote:
> Guido wrote:
> 
>     This being a security issue I think it's okay to break 3.6. might
>     even backport to 3.5 if it's easy?
> 
> 
> Is it also a security issue with 2.x? If so, should a fix to 2.7 be
> contemplated?

IMO the IDNA encoding problem isn't a security issue per se. The ssl
module just cannot handle internationalized domain names at all. IDN
domains always fail to verify. Users may just be encouraged to disable
hostname verification.

On the other hand the use of IDNA 2003 and lack of IDNA 2008 support [1]
can be considered a security problem for German, Greek, Japanese,
Chinese and Korean domains [2]. I neither have resources nor expertise
to address the encoding issue.

Christian

[1] https://bugs.python.org/issue17305
[2] https://www.unicode.org/reports/tr46/#Transition_Considerations
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Reply via email to