Everyone (including the submitter of the now public exploit who submitted the issue half a year ago to security@python.org and the NVD) seems to think that #99421 "accidently fixed" CVE-2023-24329.

Did the Python Security Response Team verify that this vulnerability that was reported to them and that is now public was fixed by #99421?

The PoC from the submitter still works for me with the Debian package 3.11.2-4, which surprised me and makes me wonder whether the fix had any effect at all on the stripping of leading blanks issue in the CVE.

Linked PRs

• gh-102153: fix CVE-2023-24329 #102470
• gh-102153: Start stripping C0 control and space chars in urlsplit #102508
• [3.11] gh-102153: Start stripping C0 control and space chars in urlsplit (GH-102508) #104575
• [3.10] [3.11] gh-102153: Start stripping C0 control and space chars in urlsplit (GH-102508) (GH-104575) #104592
• [3.9] gh-102153: Start stripping C0 control and space chars in urlsplit (GH-102508) (GH-104575) (GH-104592) #104593
• [3.8] gh-102153: Start stripping C0 control and space chars in urlsplit (GH-102508) (GH-104575) (GH-104592) (#104593) #104895
• [3.7] gh-102153: Start stripping C0 control and space chars in urlsplit (GH-102508) (GH-104575) (GH-104592) (#104593) #104896
• [3.8] gh-102153: Start stripping C0 control and space chars in `urlsp… #104918