[issue30713] Reject newline character (U+000A) in URLs in urllib.parse

Change by Gregory P. Smith : -- nosy: +gregory.p.smith ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue30713] Reject newline character (U+000A) in URLs in urllib.parse

STINNER Victor added the comment: https://bugs.python.org/issue29606 was fixed in ftplib. urllib is not the right place to reject invalid inputs. -- resolution: -> rejected stage: -> resolved status: open -> closed ___ Python tracker

[issue30713] Reject newline character (U+000A) in URLs in urllib.parse

ecbftw added the comment: I'm the guy that did the original security research on this issue. I've been a pentester for over 12 years, where I am regularly helping developers understand how to best correct their injection flaws. Please carefully consider what I'm trying to tell you. I've been

[issue30713] Reject newline character (U+000A) in URLs in urllib.parse

Martin Panter added the comment: It might help if you explained why you want to make these changes. Otherwise I have to guess. Is a compromise between strictly rejecting all non-URL characters (not just control characters), versus leaving it up to user applications to validate their URLs? I

[issue30713] Reject newline character (U+000A) in URLs in urllib.parse

Serhiy Storchaka added the comment: First, I think urllib.parse is not the best place for doing such checks. Even if add some checks in urllib.parse, they should be added also at lower level in urllib.request or concrete protocol implementations. Second, PR 2303 actually doesn't reject

[issue30713] Reject newline character (U+000A) in URLs in urllib.parse

Nam Nguyen added the comment: Just being nosy here that we should not continue down the path with regex. A proper grammar parser according to spec would be much more appropriate and eliminate these whack-a-mole issues. -- nosy: +Nam.Nguyen ___

[issue30713] Reject newline character (U+000A) in URLs in urllib.parse

STINNER Victor added the comment: I tried to be more strict, and I was bitten by tests: test_urllib fails on splittype("data:...") where (...) contains newlines characters. One example: == ERROR: test_read_text_base64

[issue30713] Reject newline character (U+000A) in URLs in urllib.parse

Changes by STINNER Victor : -- pull_requests: +2350 ___ Python tracker ___ ___

[issue30713] Reject newline character (U+000A) in URLs in urllib.parse

STINNER Victor added the comment: > See also issue29606. I think that fixing the modules implementing Internet > protocols is more appropriate way than fixing just a parsing utility. IMHO we can/should fix ftplib (ftplib, httplib, etc.) *and* urllib. --

[issue30713] Reject newline character (U+000A) in URLs in urllib.parse

Serhiy Storchaka added the comment: See also issue29606. I think that fixing the modules implementing Internet protocols is more appropriate way than fixing just a parsing utility. -- nosy: +serhiy.storchaka ___ Python tracker

[issue30713] Reject newline character (U+000A) in URLs in urllib.parse

STINNER Victor added the comment: I chose to not change how the \r newline character (U+000D) is handled: it is still accepted, even if it is used in SMTP and HTTP as newline separator. -- ___ Python tracker

[issue30713] Reject newline character (U+000A) in URLs in urllib.parse

Changes by STINNER Victor : -- pull_requests: +2348 ___ Python tracker ___ ___

[issue30713] Reject newline character (U+000A) in URLs in urllib.parse

New submission from STINNER Victor: Spin-off of the bpo-30500: modify the urllib.parse module to reject the newline character (U+000A) in URLS. Modify 3 functions: * splittype() * splithost() * splitport() -- messages: 296453 nosy: haypo priority: normal severity: normal status: open