[issue35748] urlparse library detecting wrong hostname leads to open redirect vulnerability
Karthikeyan Singaravelan
report at bugs.python.org
Wed Jan 16 08:04:32 EST 2019
Karthikeyan Singaravelan <tir.karthi at gmail.com> added the comment:
There are also some notes at https://tools.ietf.org/html/rfc3986#section-7.6
Because the userinfo subcomponent is rarely used and appears before
the host in the authority component, it can be used to construct a
URI intended to mislead a human user by appearing to identify one
(trusted) naming authority while actually identifying a different
authority hidden behind the noise. For example
ftp://cnn.example.com&story=breaking_news@10.0.0.1/top_story.htm
might lead a human user to assume that the host is 'cnn.example.com',
whereas it is actually '10.0.0.1'. Note that a misleading userinfo
subcomponent could be much longer than the example above.
A misleading URI, such as that above, is an attack on the user's
preconceived notions about the meaning of a URI rather than an attack
on the software itself. User agents may be able to reduce the impact
of such attacks by distinguishing the various components of the URI
when they are rendered, such as by using a different color or tone to
render userinfo if any is present, though there is no panacea. More
information on URI-based semantic attacks can be found in [Siedzik]
In Firefox nightly and latest chrome pasting the above URL makes a request to 10.0.0.1/top_story.htm where in Chrome the URL in the address bar is changed to 10.0.0.1/top_story.htm and Firefox has the same URL in the address bar. Python also returns '10.0.0.1' as the hostname for the above example using urlparse.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue35748>
_______________________________________
More information about the Python-bugs-list
mailing list