[issue23505] Urlparse insufficient validation leads to open redirect
STINNER Victor
report at bugs.python.org
Tue Mar 3 00:54:15 CET 2015
STINNER Victor added the comment:
> This can be practically exploited this way : http://example.com/login?next=/////evil.com
Can you please elaborate on the "exploit" part?
In Firefox, the "////etc/passwd" link shows me my local file /etc/passwd. Ok, but how is it an issue?
"//etc/passwd" also shows me file:////etc/passwd.
The OWASP article on Open Redirect shows example to redirect to a different website. Can you should an example how redirect to a website and not a file:// URL?
https://www.owasp.org/index.php/Open_redirect
----------
nosy: +haypo
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue23505>
_______________________________________
More information about the Python-bugs-list
mailing list