Gregory P. Smith <g...@krypto.org> added the comment:
backports to older releases will need to be done manually and take care depending on how much of a concern tightening the existing abusive lenient behavior of the http.client API to enforce what characters are allowed in URLs is to stable releases. I question if this is _really_ worthy of a "security" tag and a CVE (thus its non-high ranking)... it is a bug in the calling program if it blindly uses untrusted data as a URL. What this issue addresses is that we catch that more often and raise an error; a good thing to do for sure, but the stdlib should be the last line of defense. ---------- versions: -Python 3.8 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue30458> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com