[New-bugs-announce] [issue46577] Hostname spoofing via backslashes in URL
Dashmeet Kaur Ajmani
report at bugs.python.org
Sat Jan 29 19:29:31 EST 2022
New submission from Dashmeet Kaur Ajmani <dashmeetajmani at gmail.com>:
A URL's hostname can be spoofed by using a backslash (\) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect.
Impact: Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.
Example URL: "http://google.com:80\\@yahoo.com/#what\\is going on"
Expected behaviour (as returned by NPM urijs):
{
"scheme": "http",
"user": "",
"password": "",
"host": "google.com",
"port": "",
"path": "@yahoo.com/",
"query": "",
"fragment": "what\\is going on"
}
Actual behaviour:
{
"scheme": "http",
"user": "google.com",
"password": "80\\",
"host": "yahoo.com",
"port": "",
"path": "/",
"query": "",
"fragment": "what\\is going on"
}
Expected version is the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26291
----------
components: Library (Lib)
messages: 412118
nosy: meetdash
priority: normal
severity: normal
status: open
title: Hostname spoofing via backslashes in URL
type: security
versions: Python 3.11
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue46577>
_______________________________________
More information about the New-bugs-announce
mailing list