STINNER Victor added the comment: I tested my system python2 (Python 2.7.13 on Fedora 25):
haypo@selma$ python2 Python 2.7.13 (default, May 10 2017, 20:04:28) >>> urllib.splithost('//hostname/url') ('hostname', '/url') >>> urllib.splithost('//host\nname/url') # newline in hostname, accepted ('host\nname', '/url') >>> print(urllib.splithost('//host\nname/url')[0]) # newline in hostname, >>> accepted host name >>> urllib.splithost('//hostname/ur\nl') # newline in URL, rejected (None, '//hostname/ur\nl') => Newline is accepted in the hostname, but not in the URL path. With my change (adding DOTALL), newlines are accepted in the hostname and in the URL: haypo@selma$ ./python Python 2.7.13+ (heads/2.7:b39a748, Jun 19 2017, 18:07:19) >>> import urllib >>> urllib.splithost("//hostname/url") ('hostname', '/url') >>> urllib.splithost("//host\nname/url") # newline in hostname, accepted ('host\nname', '/url') >>> urllib.splithost("//hostname/ur\nl") # newline in URL, accepted ('hostname', '/ur\nl') More generally, it seems like the urllib module doesn't try to validate URL content. It just try to "split" them. Who is responsible to validate URLs? Is it the responsability of the application developer to implement a whitelist? ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue30500> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com