Message 355322 - Python tracker

Message355322

Author	vstinner
Recipients	christian.heimes, jpic, martin.panter, matrixise, orsenthil, ronaldoussoren, sanebow, vstinner, xtreak
Date	2019-10-24.10:38:17
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1571913498.0.0.793316673015.issue36338@roundup.psfhosted.org>
In-reply-to

Content
OMG parsing an URL is a can of worms... There are so many open issues related to URL parsing! * bpo-18191: urllib.parse.splitport("::1") * bpo-20271: urllib.parse.urlparse('http://[::1]spam:80') * bpo-28841: urlparse.urlparse() parses invalid URI without generating an error (examples provided) * bpo-33342: urlsplit("//user:[@host") * bpo-34360: 'http://[::1]]' * bpo-35377: urlparse doesn't validate the scheme * bpo-35748: 'http://www.google.com\@xxx.com' * bpo-36338 (this issue): urlparse('http://demo.com[attacker.com]') * bpo-37678: urlparse('http://user:pass#?[word@example.com:80/path') Related: * bpo-3647: urlparse - relative url parsing and joins to be RFC3986 compliance * bpo-16909: urlparse: add userinfo attribute * bpo-18140: issue with 'http://auser:secr#et@192.168.0.1:8080/a/b/c.html' * bpo-22234: urllib.parse.urlparse accepts any falsy value as an url * bpo-22852: "urllib.parse wrongly strips empty #fragment, ?query, //netloc" * bpo-23328: issue with "http://someuser:a/b@10.11.12.13:1234" * bpo-23448: "urllib2 needs to remove scope from IPv6 address when creating Host header" * bpo-23505: [CVE-2015-2104] Urlparse insufficient validation leads to open redirect There are 124 open issues with "urllib" in their title and 12 open issues with "urlparse" in their title.

Content

OMG parsing an URL is a can of worms... There are so many open issues related to URL parsing!

* bpo-18191: urllib.parse.splitport("::1")
* bpo-20271: urllib.parse.urlparse('http://[::1]spam:80')
* bpo-28841: urlparse.urlparse() parses invalid URI without generating an error (examples provided)
* bpo-33342: urlsplit("//user:[@host")
* bpo-34360: 'http://[::1]]'
* bpo-35377: urlparse doesn't validate the scheme
* bpo-35748: 'http://www.google.com\@xxx.com'
* bpo-36338 (this issue): urlparse('http://demo.com[attacker.com]')
* bpo-37678: urlparse('http://user:pass#?[word@example.com:80/path')

Related:

* bpo-3647: urlparse - relative url parsing and joins to be RFC3986 compliance
* bpo-16909: urlparse: add userinfo attribute
* bpo-18140: issue with 'http://auser:secr#et@192.168.0.1:8080/a/b/c.html'
* bpo-22234: urllib.parse.urlparse accepts any falsy value as an url
* bpo-22852: "urllib.parse wrongly strips empty #fragment, ?query, //netloc"
* bpo-23328: issue with "http://someuser:a/b@10.11.12.13:1234"
* bpo-23448: "urllib2 needs to remove scope from IPv6 address when creating Host header"
* bpo-23505: [CVE-2015-2104] Urlparse insufficient validation leads to open redirect

There are 124 open issues with "urllib" in their title and 12 open issues with "urlparse" in their title.

History
Date	User	Action	Args
2019-10-24 10:38:18	vstinner	set	recipients: + vstinner, ronaldoussoren, orsenthil, christian.heimes, martin.panter, matrixise, xtreak, sanebow, jpic
2019-10-24 10:38:18	vstinner	set	messageid: <1571913498.0.0.793316673015.issue36338@roundup.psfhosted.org>
2019-10-24 10:38:17	vstinner	link	issue36338 messages
2019-10-24 10:38:17	vstinner	create