Author xtreak
Recipients christian.heimes, martin.panter, nsonaniya2010, orsenthil, xtreak
Date 2019-01-16.13:04:32
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1547643872.44.0.605743974232.issue35748@roundup.psfhosted.org>
In-reply-to
Content
There are also some notes at https://tools.ietf.org/html/rfc3986#section-7.6

Because the userinfo subcomponent is rarely used and appears before
the host in the authority component, it can be used to construct a
URI intended to mislead a human user by appearing to identify one
(trusted) naming authority while actually identifying a different
authority hidden behind the noise.  For example

ftp://cnn.example.com&story=breaking_news@10.0.0.1/top_story.htm

might lead a human user to assume that the host is 'cnn.example.com',
whereas it is actually '10.0.0.1'.  Note that a misleading userinfo
subcomponent could be much longer than the example above.

A misleading URI, such as that above, is an attack on the user's
preconceived notions about the meaning of a URI rather than an attack
on the software itself.  User agents may be able to reduce the impact
of such attacks by distinguishing the various components of the URI
when they are rendered, such as by using a different color or tone to
render userinfo if any is present, though there is no panacea.  More
information on URI-based semantic attacks can be found in [Siedzik]

In Firefox nightly and latest chrome pasting the above URL makes a request to 10.0.0.1/top_story.htm where in Chrome the URL in the address bar is changed to 10.0.0.1/top_story.htm and Firefox has the same URL in the address bar. Python also returns '10.0.0.1' as the hostname for the above example using urlparse.
History
Date User Action Args
2019-01-16 13:04:34xtreaksetrecipients: + xtreak, orsenthil, christian.heimes, martin.panter, nsonaniya2010
2019-01-16 13:04:32xtreaksetmessageid: <1547643872.44.0.605743974232.issue35748@roundup.psfhosted.org>
2019-01-16 13:04:32xtreaklinkissue35748 messages
2019-01-16 13:04:32xtreakcreate