[issue44744] [security] Open redirect attack due to insufficient validation in Urlparse
Logan Jones
report at bugs.python.org
Mon Jul 26 21:06:59 EDT 2021
Logan Jones <loganasherjones at gmail.com> added the comment:
I don't know if urlparse is actually "mishandling" these URLs.
Looking over RFC 1808 (https://datatracker.ietf.org/doc/html/rfc1808.html) the BNF (https://datatracker.ietf.org/doc/html/rfc1808.html#section-2.2) seems to support what urlparse is reporting, at least for the first two examples.
I'll try to break down each scenario. Maybe you can help me understand what you expect it to report?
https : // /www.attacker.com
^ ^ ^
scheme Net loc Not a valid
Delimeter netloc character, but
is a valid abs_path beginning
(according to the spec net_loc
is allowed to be empty)
https : /www.attacker.com/a/b
^ ^
scheme valid abs_path
https : \ www.attacker.com/a/b
^ ^
scheme This isn't actually matched
anywhere in the BNF, so if
anything maybe a value error
should have been raised?
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue44744>
_______________________________________
More information about the Python-bugs-list
mailing list