Barry A. Warsaw <ba...@python.org> added the comment: I'm inclined not to support backporting to Python 2.6. It seems like a fairly rare and narrow hole for security problem, because it would require a program to add the bogus header explicitly, as opposed to getting it after parsing some data. To me, that smacks of SQL-injection or XSS type bug, where it's really the application that's the problem.
Or in other words, assuming you don't have a program that is deliberately adding such headers (and then it should be considered a feature, i.e. they know what they're doing), then you'd have to trick a header-adding program to add some unvalidated text. I dunno, it doesn't seem like a serious enough threat to backport. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue5871> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
