Message237412
From: Amos Jeffries <squid3 () treenet co nz>
Date: Fri, 06 Mar 2015 14:09:55 +1300
On 6/03/2015 10:42 a.m., cve-assign () mitre org wrote:
We think that the issue reduces to the question of whether it's
acceptable for urlparse to provide inconsistent information about the
structure of a URL.
https://docs.python.org/2/library/urlparse.html says:
urlparse.urlparse(urlstring[, scheme[, allow_fragments]])
Parse a URL into six components, returning a 6-tuple. This
corresponds to the general structure of a URL:
scheme://netloc/path;parameters?query#fragment.
My 2c ... no it does not.
There are 7 parts in a URL. What is called "netloc" in that description
is actually two fields: [userinfo '@'] authority
The userinfo field is very much alive and well in non-HTTP schemes.
Ignoring the userinfo field leaves implementations open to attacks of
the form:
scheme://example.com () phishing com/path
AYJ |
|
Date |
User |
Action |
Args |
2015-03-07 02:55:10 | yaaboukir | set | recipients:
+ yaaboukir, orsenthil, pitrou, vstinner, benjamin.peterson, python-dev, martin.panter, PaulMcMillan, soilandreyes |
2015-03-07 02:55:10 | yaaboukir | set | messageid: <1425696910.76.0.0796022266632.issue23505@psf.upfronthosting.co.za> |
2015-03-07 02:55:10 | yaaboukir | link | issue23505 messages |
2015-03-07 02:55:10 | yaaboukir | create | |
|