This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Hostname spoofing via backslashes in URL
Type: security Stage:
Components: Library (Lib) Versions: Python 3.11
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: meetdash, xtreak
Priority: normal Keywords:

Created on 2022-01-30 00:29 by meetdash, last changed 2022-04-11 14:59 by admin.

Messages (2)
msg412118 - (view) Author: Dashmeet Kaur Ajmani (meetdash) Date: 2022-01-30 00:29
A URL's hostname can be spoofed by using a backslash (\) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect.

Impact: Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

Example URL: "http://google.com:80\\@yahoo.com/#what\\is going on"

Expected behaviour (as returned by NPM urijs):
{
 "scheme": "http",
 "user": "",
 "password": "",
 "host": "google.com",
 "port": "",
 "path": "@yahoo.com/",
 "query": "",
 "fragment": "what\\is going on"
}

Actual behaviour:
{
 "scheme": "http",
 "user": "google.com",
 "password": "80\\",
 "host": "yahoo.com",
 "port": "",
 "path": "/",
 "query": "",
 "fragment": "what\\is going on"
}

Expected version is the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26291
msg412124 - (view) Author: Karthikeyan Singaravelan (xtreak) * (Python committer) Date: 2022-01-30 04:43
This seems to be similar to https://bugs.python.org/issue35748
History
Date User Action Args
2022-04-11 14:59:55adminsetgithub: 90735
2022-01-30 04:43:25xtreaksetnosy: + xtreak
messages: + msg412124
2022-01-30 00:29:31meetdashcreate