This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author xtreak
Recipients christian.heimes, martin.panter, nsonaniya2010, orsenthil, xtreak
Date 2019-01-16.13:04:32
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
There are also some notes at

Because the userinfo subcomponent is rarely used and appears before
the host in the authority component, it can be used to construct a
URI intended to mislead a human user by appearing to identify one
(trusted) naming authority while actually identifying a different
authority hidden behind the noise.  For example

might lead a human user to assume that the host is '',
whereas it is actually ''.  Note that a misleading userinfo
subcomponent could be much longer than the example above.

A misleading URI, such as that above, is an attack on the user's
preconceived notions about the meaning of a URI rather than an attack
on the software itself.  User agents may be able to reduce the impact
of such attacks by distinguishing the various components of the URI
when they are rendered, such as by using a different color or tone to
render userinfo if any is present, though there is no panacea.  More
information on URI-based semantic attacks can be found in [Siedzik]

In Firefox nightly and latest chrome pasting the above URL makes a request to where in Chrome the URL in the address bar is changed to and Firefox has the same URL in the address bar. Python also returns '' as the hostname for the above example using urlparse.
Date User Action Args
2019-01-16 13:04:34xtreaksetrecipients: + xtreak, orsenthil, christian.heimes, martin.panter, nsonaniya2010
2019-01-16 13:04:32xtreaksetmessageid: <>
2019-01-16 13:04:32xtreaklinkissue35748 messages
2019-01-16 13:04:32xtreakcreate