This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author yaaboukir
Recipients PaulMcMillan, benjamin.peterson, martin.panter, orsenthil, pitrou, python-dev, soilandreyes, vstinner, yaaboukir
Date 2015-03-07.02:55:10
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
From: Amos Jeffries <squid3 () treenet co nz>
Date: Fri, 06 Mar 2015 14:09:55 +1300

On 6/03/2015 10:42 a.m., cve-assign () mitre org wrote:

    We think that the issue reduces to the question of whether it's
    acceptable for urlparse to provide inconsistent information about the
    structure of a URL. says:

       urlparse.urlparse(urlstring[, scheme[, allow_fragments]])
       Parse a URL into six components, returning a 6-tuple. This
       corresponds to the general structure of a URL:

My 2c ... no it does not.

There are 7 parts in a URL. What is called "netloc" in that description
is actually two fields: [userinfo '@'] authority

The userinfo field is very much alive and well in non-HTTP schemes.

Ignoring the userinfo field leaves implementations open to attacks of
the form:
   scheme:// () phishing com/path

Date User Action Args
2015-03-07 02:55:10yaaboukirsetrecipients: + yaaboukir, orsenthil, pitrou, vstinner, benjamin.peterson, python-dev, martin.panter, PaulMcMillan, soilandreyes
2015-03-07 02:55:10yaaboukirsetmessageid: <>
2015-03-07 02:55:10yaaboukirlinkissue23505 messages
2015-03-07 02:55:10yaaboukircreate