CVE-2019-9636 - Can this be exploit over the wire?
Random832
random832 at fastmail.com
Thu Sep 5 11:05:10 EDT 2019
On Wed, Sep 4, 2019, at 13:36, Barry Scott wrote:
> I have been looking into CVE-2019-9636 and I'm not sure that
> python code that works in bytes is vulnerable to this.
I'm not convinced that the CVE (or, at least, the description in the bug report... it's also unclear to me whether this is an accurate example of the CVE) is valid at all. That is, I don't think its suggestion that browsers generally use compatibility normalization in decomposing URLs is correct.
I tried the given address "https://example.com\uff03@bing.com" (with actual \uff03 character) in Firefox, Chrome, and Edge, and they all accessed bing.com.
More information about the Python-list
mailing list