On Thu, Jun 7, 2018 at 8:47 PM, Marko Rauhamaa <ma...@pacujo.net> wrote: > Chris Angelico <ros...@gmail.com>: > >> On Thu, Jun 7, 2018 at 7:29 PM, Marko Rauhamaa <ma...@pacujo.net> wrote: >>> 3. http://localhost:8000/te%00st.html >>> >>> => The server crashes with a ValueError and the TCP connection is >>> reset >>> >> it's somewhat unideal behaviour - I would prefer to see an HTTP 500 >> come back if the server crashes - but I can't see that that's a >> security problem. Just a QOS issue, wherein you might get a 500 rather >> than a 404 for certain requests. > > It's a demonstration of how this innocent-looking problem can lead to > surprising and even serious consequences. > > The given URI is well-formed and should not give any particular trouble > to any HTTP server.
You haven't demonstrated a security problem. Don't claim security risks unless you can show there's at least a possibility of that; otherwise, it's just FUD. ChrisA -- https://mail.python.org/mailman/listinfo/python-list