This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author yaaboukir
Recipients yaaboukir
Date 2015-02-24.00:11:53
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1424736713.95.0.74935935546.issue23505@psf.upfronthosting.co.za>
In-reply-to
Content
The module urlparse lacks proper validation of the input leading to open redirect vulnerability.

The issue is that URLs do not survive the round-trip through  `urlunparse(urlparse(url))`. Python sees `/////foo.com` as a URL with no hostname or scheme and a path of `//foo.com`, but when it reconstructs the URL after parsing, it becomes `//foo.com`.

This can be practically exploited this way : http://example.com/login?next=/////evil.com

The for fix this would be for `urlunparse()` to serialize paths with two leading slashes as '/%2F', at least when `scheme` and `netloc` are empty.
History
Date User Action Args
2015-02-24 00:11:53yaaboukirsetrecipients: + yaaboukir
2015-02-24 00:11:53yaaboukirsetmessageid: <1424736713.95.0.74935935546.issue23505@psf.upfronthosting.co.za>
2015-02-24 00:11:53yaaboukirlinkissue23505 messages
2015-02-24 00:11:53yaaboukircreate