On 2017-12-30 13:19, Skip Montanaro wrote: > Guido wrote: > > This being a security issue I think it's okay to break 3.6. might > even backport to 3.5 if it's easy? > > > Is it also a security issue with 2.x? If so, should a fix to 2.7 be > contemplated?
IMO the IDNA encoding problem isn't a security issue per se. The ssl module just cannot handle internationalized domain names at all. IDN domains always fail to verify. Users may just be encouraged to disable hostname verification. On the other hand the use of IDNA 2003 and lack of IDNA 2008 support [1] can be considered a security problem for German, Greek, Japanese, Chinese and Korean domains [2]. I neither have resources nor expertise to address the encoding issue. Christian [1] https://bugs.python.org/issue17305 [2] https://www.unicode.org/reports/tr46/#Transition_Considerations _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
