This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author xtreak
Recipients martin.panter, matrixise, orsenthil, sanebow, xtreak
Date 2019-03-22.11:27:42
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1553254063.06.0.272002592101.issue36338@roundup.psfhosted.org>
In-reply-to
Content 
See also issue20271 that discusses the other format http://[::1]spam where ::1 is returned as hostname. urlparse tries to parse the hostname as IPV6 address when there is [ and parses till ] at [0] thus "benign.com\[attacker.com]" is treated as a URL where attacker.com is assumed as the IPV6 hostname. I am not sure of the correct behavior. FWIW at least Java and golang return "benign.com[attacker.com]" and Ruby raises an exception that this is a bad URL.

Java

> (.getHost (java.net.URL. "http://benign.com\\[attacker.com]"))
"benign.com\\[attacker.com]"

golang: https://play.golang.org/p/q8pTo9ySLby


[0] https://github.com/python/cpython/blob/c5c6cdada3d41148bdeeacfe7528327b481c5d18/Lib/urllib/parse.py#L199
History
Date User Action Args
2019-03-22 11:27:43xtreaksetrecipients: + xtreak, orsenthil, martin.panter, matrixise, sanebow
2019-03-22 11:27:43xtreaksetmessageid: <1553254063.06.0.272002592101.issue36338@roundup.psfhosted.org>
2019-03-22 11:27:43xtreaklinkissue36338 messages
2019-03-22 11:27:42xtreakcreate