[issue35748] urlparse library detecting wrong hostname leads to open redirect vulnerability
Karthikeyan Singaravelan
report at bugs.python.org
Wed Jan 16 05:32:03 EST 2019
Karthikeyan Singaravelan <tir.karthi at gmail.com> added the comment:
I just tested other implementations in Ruby and Go and they too return host as "evil.com" for "http://www.google.com@evil.com" along with the user info component.
$ ruby -e 'require "uri"; puts URI("http://www.google.com@evil.com").hostname'
evil.com
$ cat /tmp/foo.go
package main
import (
"fmt"
"net/url"
)
func main() {
u, _ := url.Parse(`http://www.google.com@evil.com`)
fmt.Println(u.Host);
fmt.Println(u.User);
}
$ go run /tmp/foo.go
evil.com
www.google.com
----------
nosy: +xtreak
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue35748>
_______________________________________
More information about the Python-bugs-list
mailing list