This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author martin.panter
Recipients benjamin.peterson, martin.panter, orsenthil, pitrou, python-dev, soilandreyes, vstinner, yaaboukir
Date 2015-03-03.05:16:51
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1425359811.66.0.522847300609.issue23505@psf.upfronthosting.co.za>
In-reply-to
Content 
Do you think it would be enough to ensure the urlparse() result remembers whether the empty “//” was present or not? In other words, something like the following mockup (based on the Issue 22852 proposal). An example vunerable program would help me understand this as well.

>>> urlparse("////evil.com")
ParseResult(scheme="", netloc="", has_netloc=True, path="//evil.com", ...)
>>> urlunparse(_)
"////evil.com"

Or would we still need special handling of a path that starts with a double slash despite that; either URL-encoding the second slash, or maybe just raising an exception? Consider that the components are already supposed to be URL-encoded, and you can still generate unexpected valid URLs by giving other invalid components, such as

>>> urlunparse(("", "netloc/with/path", "/more/path", "", "", ""))
'//netloc/with/path/more/path'
History
Date User Action Args
2015-03-03 05:16:51martin.pantersetrecipients: + martin.panter, orsenthil, pitrou, vstinner, benjamin.peterson, python-dev, soilandreyes, yaaboukir
2015-03-03 05:16:51martin.pantersetmessageid: <1425359811.66.0.522847300609.issue23505@psf.upfronthosting.co.za>
2015-03-03 05:16:51martin.panterlinkissue23505 messages
2015-03-03 05:16:51martin.pantercreate