Vulnerability: urlsplit does not handle NFKC normalization
Steve Dower
steve.dower at python.org
Thu Mar 7 13:52:13 EST 2019
We recently disclosed and patched a potential vulnerability in Python
applications that use urlsplit() or urlparse() on user-provide URLs.
You may be impacted if a user can provide a Unicode URL to your
application that is later converted to IDNA (Punycode) or ASCII. This
conversion will decompose certain Unicode characters that can affect the
netloc part of your URL, potentially resulting in requests being sent to
an unexpected host.
All versions of Python are affected. Patches have been applied for the
next releases of 2.7, 3.7 and 3.8, and are under review for 3.4, 3.5 and
3.6.
Full details, links to the patches, and workarounds for applications are
available at:
*
https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html
* https://bugs.python.org/issue36216
A CVE number has been requested but is not yet available.
The issue was discovered by Jonathan Birch of Microsoft Corporation and
Panayiotis Panayiotou, and reported to the Python Security Response Team
<security at python.org>.
More information about the Python-announce-list
mailing list