Message339391
I am trying to investigate the impact of this bug on Python 2.6 (yes, it is for SLE), and I have hard to replicate the steps in the description even on 2.7:
~$ ipython2
Python 2.7.15 (default, May 21 2018, 17:53:03) [GCC]
Type "copyright", "credits" or "license" for more information.
IPython 5.8.0 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra details.
In [1]: from urlparse import urlsplit
In [2]: u = "https://example.com\uFF03@bing.com".encode("idna").decode("ascii")
In [3]: u
Out[3]: u'https://example.com\\uFF03@bing.com'
In [4]: urlsplit(u).netloc.rpartition('@')[2]
Out[4]: u'bing.com'
In [5]: u = "https://example.com\uFF03@bing.com"
In [6]: urlsplit(u).netloc.rpartition('@')[2]
Out[6]: 'bing.com'
In [7]: u = u.encode("idna").decode("ascii")
In [8]: urlsplit(u).netloc.rpartition('@')[2]
Out[8]: u'bing.com'
In [9]: import unicodedata
In [10]: u2 = unicodedata.normalize('NFKC', u)
In [11]: u2
Out[11]: u'https://example.com\\uFF03@bing.com'
In [12]: urlsplit(u2)
Out[12]: SplitResult(scheme=u'https', netloc=u'example.com\\uFF03@bing.com', path=u'', query='', fragment='')
In [13]:
Yes, the results are weird, and most likely they would break any software relying on them, but I am not sure that it is a security issue.
vstinner ? steve.dower ? What do you think? |
|
Date |
User |
Action |
Args |
2019-04-03 13:35:37 | mcepl | set | recipients:
+ mcepl, vstinner, larry, benjamin.peterson, jkloth, ned.deily, ezio.melotti, jeremy.kloth, martin.panter, steve.dower, xtreak |
2019-04-03 13:35:37 | mcepl | set | messageid: <1554298537.3.0.148287614893.issue36216@roundup.psfhosted.org> |
2019-04-03 13:35:37 | mcepl | link | issue36216 messages |
2019-04-03 13:35:36 | mcepl | create | |
|