CVE-2019-9636 - Can this be exploit over the wire?
Barry Scott
barry at barrys-emacs.org
Thu Sep 5 13:57:43 EDT 2019
> On 5 Sep 2019, at 16:18, Random832 <random832 at fastmail.com> wrote:
Thanks for taking the time to reply.
>
> On Wed, Sep 4, 2019, at 13:36, Barry Scott wrote:
>> The conclusion I reached is that the CVE only applies to client code
>> that allows a URL in unicode to be entered.
>>
>> Have I missed something important in the analysis?
>
> While as I mentioned in my other post I'm not sure if the CVE's analysis of URL behavior is correct generally,
Agreed, would have liked to have had more details and context.
> you have missed the fact that an HTML page can provide URLs in unicode, either with the page itself encoded in UTF-8, or with whatever characters escaped as XML character references... not only as bytes in IDNA or percent-escaped hex. The same principle applies to other formats in which URLs might be interchanged as encoded unicode strings, such as JSON. The fact that accessing such a URL requires converting the non-ASCII parts to IDNA (for the domain part) or percent-escaped hex (for other parts) doesn't limit this to user input.
>
> <a href="https://example.com#@bing.com">like this</a>
That gets the unicode version into the app and then the bug can be triggered.
In my case this is not a way in as the code does not parse web pages.
Barry
> --
> https://mail.python.org/mailman/listinfo/python-list
>
More information about the Python-list
mailing list