This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author mcepl
Recipients benjamin.peterson, ezio.melotti, jeremy.kloth, jkloth, larry, martin.panter, mcepl, ned.deily, steve.dower, vstinner, xtreak
Date 2019-04-03.13:35:36
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
I am trying to investigate the impact of this bug on Python 2.6 (yes, it is for SLE), and I have hard to replicate the steps in the description even on 2.7:

~$ ipython2
Python 2.7.15 (default, May 21 2018, 17:53:03) [GCC]
Type "copyright", "credits" or "license" for more information.

IPython 5.8.0 -- An enhanced Interactive Python.
?         -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help      -> Python's own help system.
object?   -> Details about 'object', use 'object??' for extra details.

In [1]: from urlparse import urlsplit

In [2]: u = "\".encode("idna").decode("ascii") 

In [3]: u
Out[3]: u'\\'

In [4]: urlsplit(u).netloc.rpartition('@')[2]
Out[4]: u''

In [5]: u = "\"

In [6]: urlsplit(u).netloc.rpartition('@')[2]
Out[6]: ''

In [7]: u = u.encode("idna").decode("ascii") 

In [8]: urlsplit(u).netloc.rpartition('@')[2]
Out[8]: u''

In [9]: import unicodedata

In [10]: u2 = unicodedata.normalize('NFKC', u)

In [11]: u2
Out[11]: u'\\'

In [12]: urlsplit(u2)
Out[12]: SplitResult(scheme=u'https', netloc=u'\\', path=u'', query='', fragment='')

In [13]:

Yes, the results are weird, and most likely they would break any software relying on them, but I am not sure that it is a security issue.

vstinner ? steve.dower ? What do you think?
Date User Action Args
2019-04-03 13:35:37mceplsetrecipients: + mcepl, vstinner, larry, benjamin.peterson, jkloth, ned.deily, ezio.melotti, jeremy.kloth, martin.panter, steve.dower, xtreak
2019-04-03 13:35:37mceplsetmessageid: <>
2019-04-03 13:35:37mcepllinkissue36216 messages
2019-04-03 13:35:36mceplcreate