Message 349153 - Python tracker

Message349153

Author	sanebow
Recipients	jpic, martin.panter, matrixise, orsenthil, ronaldoussoren, sanebow, xtreak
Date	2019-08-07.07:47:54
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1565164074.83.0.663936524704.issue36338@roundup.psfhosted.org>
In-reply-to

Content
Python2 urlparse.urlparse and urllib2.urlparse.urlparse have a similar IPv6 hostname parsing bug. >>> urlparse.urlparse('http://nevil.com[]').hostname >>> 'evil.com[' This is less practical to exploit since the parsed domain contains a '[' in the end. Do I need to create a separate issue for this Python2 bug? I think the way PR 14896 fix the python3 bug can also be applied to this. Also, do we need a CVE ID for the python3 bug? As it may lead to some security issues in some Python apps, e.g., open-redirect. I have found such a case in a private bug bounty program.

Content

Python2 urlparse.urlparse and urllib2.urlparse.urlparse have a similar IPv6 hostname parsing bug.

>>> urlparse.urlparse('http://nevil.com[]').hostname
>>> 'evil.com['

This is less practical to exploit since the parsed domain contains a '[' in the end.

Do I need to create a separate issue for this Python2 bug?

I think the way PR 14896 fix the python3 bug can also be applied to this.


Also, do we need a CVE ID for the python3 bug? As it may lead to some security issues in some Python apps, e.g., open-redirect. I have found such a case in a private bug bounty program.

History
Date	User	Action	Args
2019-08-07 07:47:54	sanebow	set	recipients: + sanebow, ronaldoussoren, orsenthil, martin.panter, matrixise, xtreak, jpic
2019-08-07 07:47:54	sanebow	set	messageid: <1565164074.83.0.663936524704.issue36338@roundup.psfhosted.org>
2019-08-07 07:47:54	sanebow	link	issue36338 messages
2019-08-07 07:47:54	sanebow	create