Message235938
| Author |
demian.brecht |
| Recipients |
Guido, demian.brecht, martin.panter, orsenthil, r.david.murray |
| Date |
2015年02月14日.01:07:07 |
| SpamBayes Score |
-1.0 |
| Marked as misclassified |
Yes |
| Message-id |
<1423876028.97.0.715206350455.issue22928@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
Here's a patch addressing the potential vulnerability as reported. The patch should also bring the implementation up to date with the most recent standards around header names and values.
> There could be potential for breaking compatibility if people are intentionally sending values with folded lines (obsoleted by the new HTTP RFC).
I think I'm okay with this given line folding seems to have been implemented by passing multiple value parameters (folding was automatically taken care of by the library).
I don't think that this should be merged into anything pre 3.5 as safeguarding /should/ be accounted for by the developer, so I don't think I'd regard this as a high risk security issue. I'm definitely open to debate on that though. |
|