Seth Michael Larson <sethmichaellar...@gmail.com> added the comment:

Leaving a thought here, I'm highlighting that we're now implementing two 
different standards, RFC 3986 with hints of WHATWG-URL. There are pitfalls to 
doing so as now a strict URL parser for RFC 3986 (like the one used by 
urllib3/requests) will give different results compared to Python and thus opens 
up the door for SSRF vulnerabilities [1].

[1]: 
https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf

----------
nosy: +sethmlarson

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue43882>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to