Message338972
| Author | xtreak |
|---|---|
| Recipients | martin.panter, matrixise, orsenthil, ronaldoussoren, sanebow, xtreak |
| Date | 2019-03-27.16:00:26 |
| SpamBayes Score | -1.0 |
| Marked as misclassified | Yes |
| Message-id | <1553702426.95.0.487209778817.issue36338@roundup.psfhosted.org> |
| In-reply-to |
| Content | |
|---|---|
I found this page to be uesful : https://url.spec.whatwg.org/#host-parsing and following the steps it seems that this should raise an error since at the 7th step it denotes that asciiDomain shouldn't contain forbidden host code point including "[]" . As another data point using 'new URL("http://benign.com[attacker.com]")' in browser's Javascript console also raises exception that this is a bad URL. Even if attacker.com is assumed to be the correct host by Python it's not validated to be an IPV6 address where it should fail. Ruby seems to use a regex : https://github.com/ruby/ruby/blob/trunk/lib/uri/rfc3986_parser.rb#L6 Java parseurl : http://hg.openjdk.java.net/jdk/jdk/file/c4c225b49c5f/src/java.base/share/classes/java/net/URLStreamHandler.java#l124 golang : https://github.com/golang/go/blob/50bd1c4d4eb4fac8ddeb5f063c099daccfb71b26/src/net/url/url.go#L587 |
|
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2019-03-27 16:00:26 | xtreak | set | recipients: + xtreak, ronaldoussoren, orsenthil, martin.panter, matrixise, sanebow |
| 2019-03-27 16:00:26 | xtreak | set | messageid: <1553702426.95.0.487209778817.issue36338@roundup.psfhosted.org> |
| 2019-03-27 16:00:26 | xtreak | link | issue36338 messages |
| 2019-03-27 16:00:26 | xtreak | create | |