Home Original page

Message 334049 - Python tracker

Message334049

Author steven.daprano
Recipients christian.heimes, martin.panter, nsonaniya2010, orsenthil, steven.daprano, xtreak
Date 2019-01-19.08:50:39
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <20190119085032.GS13616@ando.pearwood.info>
In-reply-to <1547881758.9.0.617798565977.issue35748@roundup.psfhosted.org>
Content 
> The “urllib.parse” module generally follows RFC 3986, which does not 
> allow a literal backslash in the “userinfo” part:

And yet the parse() function seems to allow arbitrary unescaped 
characters. This is from 3.8.0a0:

py> from urllib.parse import urlparse
py> urlparse(r'http://spam\eggs!cheese&aardvark@evil.com').netloc
'spam\\eggs!cheese&aardvark@evil.com'
py> urlparse(r'http://spam\eggs!cheese&aardvark@evil.com').hostname
'evil.com'

If that's a bug, it is a separate bug to this issue.

Backslash doesn't seem relevant to the security issue of userinfo being 
used to mislead:

py> urlparse('http://www.google.com@evil.com').netloc
'www.google.com@evil.com'
py> urlparse('http://www.google.com@evil.com').hostname
'evil.com'

If it is relevant, can somebody explain to me how?
History
Date User Action Args
2019-01-19 08:50:41steven.dapranosetrecipients: + steven.daprano, orsenthil, christian.heimes, martin.panter, xtreak, nsonaniya2010
2019-01-19 08:50:39steven.dapranolinkissue35748 messages
2019-01-19 08:50:39steven.dapranocreate