This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author yaaboukir
Recipients yaaboukir
Date 2015-02-24.00:11:53
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
The module urlparse lacks proper validation of the input leading to open redirect vulnerability.

The issue is that URLs do not survive the round-trip through  `urlunparse(urlparse(url))`. Python sees `/////` as a URL with no hostname or scheme and a path of `//`, but when it reconstructs the URL after parsing, it becomes `//`.

This can be practically exploited this way :

The for fix this would be for `urlunparse()` to serialize paths with two leading slashes as '/%2F', at least when `scheme` and `netloc` are empty.
Date User Action Args
2015-02-24 00:11:53yaaboukirsetrecipients: + yaaboukir
2015-02-24 00:11:53yaaboukirsetmessageid: <>
2015-02-24 00:11:53yaaboukirlinkissue23505 messages
2015-02-24 00:11:53yaaboukircreate