Message 294667 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	Nam.Nguyen
Recipients	Nam.Nguyen
Date	2017-05-29.04:04:11
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1496030652.64.0.90102082916.issue30500@psf.upfronthosting.co.za>
In-reply-to

Content
Reported by Orange Tsai: ========== Hi, Python Security Team import urllib from urlparse import urlparse url = 'http://127.0.0.1#@evil.com/' print urlparse(url).netloc # 127.0.0.1 print urllib.urlopen(url).read() # will access evil.com I have tested on the latest version of Python 2.7.13. ==========

Reported by Orange Tsai:

==========
Hi, Python Security Team

import urllib
from urlparse import urlparse

url = 'http://127.0.0.1#@evil.com/'
print urlparse(url).netloc          # 127.0.0.1
print urllib.urlopen(url).read()    # will access evil.com


I have tested on the latest version of Python 2.7.13.
==========

History
Date	User	Action	Args
2017-05-29 04:04:12	Nam.Nguyen	set	recipients: + Nam.Nguyen
2017-05-29 04:04:12	Nam.Nguyen	set	messageid: <1496030652.64.0.90102082916.issue30500@psf.upfronthosting.co.za>
2017-05-29 04:04:12	Nam.Nguyen	link	issue30500 messages
2017-05-29 04:04:11	Nam.Nguyen	create