This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author yaaboukir
Recipients PaulMcMillan, benjamin.peterson, martin.panter, orsenthil, pitrou, python-dev, soilandreyes, vstinner, yaaboukir
Date 2015-03-07.02:55:10
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1425696910.76.0.0796022266632.issue23505@psf.upfronthosting.co.za>
In-reply-to
Content 
From: Amos Jeffries <squid3 () treenet co nz>
Date: Fri, 06 Mar 2015 14:09:55 +1300

On 6/03/2015 10:42 a.m., cve-assign () mitre org wrote:

    We think that the issue reduces to the question of whether it's
    acceptable for urlparse to provide inconsistent information about the
    structure of a URL.

    https://docs.python.org/2/library/urlparse.html says:

       urlparse.urlparse(urlstring[, scheme[, allow_fragments]])
       Parse a URL into six components, returning a 6-tuple. This
       corresponds to the general structure of a URL:
       scheme://netloc/path;parameters?query#fragment.


My 2c ... no it does not.

There are 7 parts in a URL. What is called "netloc" in that description
is actually two fields: [userinfo '@'] authority

The userinfo field is very much alive and well in non-HTTP schemes.


Ignoring the userinfo field leaves implementations open to attacks of
the form:
   scheme://example.com () phishing com/path

AYJ
History
Date User Action Args
2015-03-07 02:55:10yaaboukirsetrecipients: + yaaboukir, orsenthil, pitrou, vstinner, benjamin.peterson, python-dev, martin.panter, PaulMcMillan, soilandreyes
2015-03-07 02:55:10yaaboukirsetmessageid: <1425696910.76.0.0796022266632.issue23505@psf.upfronthosting.co.za>
2015-03-07 02:55:10yaaboukirlinkissue23505 messages
2015-03-07 02:55:10yaaboukircreate