[issue35748] urlparse library detecting wrong hostname leads to open redirect vulnerability
Martin Panter
report at bugs.python.org
Wed Jan 16 05:01:37 EST 2019
Martin Panter <vadmium+py at gmail.com> added the comment:
FWIW I understand the backslash should be percent-encoded in URLs, otherwise the URL is not valid.
This reminds me of a few other bugs:
* Issue 30500: Made the behaviour of fragment (#. . .) versus userinfo (. . .@) consistent, e.g. in //www.google.com#@xxx.com
* Issue 18140: Also about the ambiguity of fragment (#. . .) and query (?. . .) versus userinfo (. . .@)
* Issue 23328: Precedence of path segment (/. . .) versus userinfo (. . .@); e.g. //user/name:pass/word at www.google.com
I think people some times come up with these invalid URLs because they are trying to make a URL that includes a password with unusual characters (e.g. for the “http_proxy” environment variable). So raising an exception or otherwise changing the parsing behaviour could break those cases.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue35748>
_______________________________________
More information about the Python-bugs-list
mailing list