Message 339391 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	mcepl
Recipients	benjamin.peterson, ezio.melotti, jeremy.kloth, jkloth, larry, martin.panter, mcepl, ned.deily, steve.dower, vstinner, xtreak
Date	2019-04-03.13:35:36
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1554298537.3.0.148287614893.issue36216@roundup.psfhosted.org>
In-reply-to

Content
I am trying to investigate the impact of this bug on Python 2.6 (yes, it is for SLE), and I have hard to replicate the steps in the description even on 2.7: ~$ ipython2 Python 2.7.15 (default, May 21 2018, 17:53:03) [GCC] Type "copyright", "credits" or "license" for more information. IPython 5.8.0 -- An enhanced Interactive Python. ? -> Introduction and overview of IPython's features. %quickref -> Quick reference. help -> Python's own help system. object? -> Details about 'object', use 'object??' for extra details. In [1]: from urlparse import urlsplit In [2]: u = "https://example.com\uFF03@bing.com".encode("idna").decode("ascii") In [3]: u Out[3]: u'https://example.com\\uFF03@bing.com' In [4]: urlsplit(u).netloc.rpartition('@')[2] Out[4]: u'bing.com' In [5]: u = "https://example.com\uFF03@bing.com" In [6]: urlsplit(u).netloc.rpartition('@')[2] Out[6]: 'bing.com' In [7]: u = u.encode("idna").decode("ascii") In [8]: urlsplit(u).netloc.rpartition('@')[2] Out[8]: u'bing.com' In [9]: import unicodedata In [10]: u2 = unicodedata.normalize('NFKC', u) In [11]: u2 Out[11]: u'https://example.com\\uFF03@bing.com' In [12]: urlsplit(u2) Out[12]: SplitResult(scheme=u'https', netloc=u'example.com\\uFF03@bing.com', path=u'', query='', fragment='') In [13]: Yes, the results are weird, and most likely they would break any software relying on them, but I am not sure that it is a security issue. vstinner ? steve.dower ? What do you think?

I am trying to investigate the impact of this bug on Python 2.6 (yes, it is for SLE), and I have hard to replicate the steps in the description even on 2.7:

~$ ipython2
Python 2.7.15 (default, May 21 2018, 17:53:03) [GCC]
Type "copyright", "credits" or "license" for more information.

IPython 5.8.0 -- An enhanced Interactive Python.
?         -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help      -> Python's own help system.
object?   -> Details about 'object', use 'object??' for extra details.

In [1]: from urlparse import urlsplit

In [2]: u = "https://example.com\uFF03@bing.com".encode("idna").decode("ascii") 

In [3]: u
Out[3]: u'https://example.com\\uFF03@bing.com'

In [4]: urlsplit(u).netloc.rpartition('@')[2]
Out[4]: u'bing.com'

In [5]: u = "https://example.com\uFF03@bing.com"

In [6]: urlsplit(u).netloc.rpartition('@')[2]
Out[6]: 'bing.com'

In [7]: u = u.encode("idna").decode("ascii") 

In [8]: urlsplit(u).netloc.rpartition('@')[2]
Out[8]: u'bing.com'

In [9]: import unicodedata

In [10]: u2 = unicodedata.normalize('NFKC', u)

In [11]: u2
Out[11]: u'https://example.com\\uFF03@bing.com'

In [12]: urlsplit(u2)
Out[12]: SplitResult(scheme=u'https', netloc=u'example.com\\uFF03@bing.com', path=u'', query='', fragment='')

In [13]:

Yes, the results are weird, and most likely they would break any software relying on them, but I am not sure that it is a security issue.

vstinner ? steve.dower ? What do you think?

History
Date	User	Action	Args
2019-04-03 13:35:37	mcepl	set	recipients: + mcepl, vstinner, larry, benjamin.peterson, jkloth, ned.deily, ezio.melotti, jeremy.kloth, martin.panter, steve.dower, xtreak
2019-04-03 13:35:37	mcepl	set	messageid: <1554298537.3.0.148287614893.issue36216@roundup.psfhosted.org>
2019-04-03 13:35:37	mcepl	link	issue36216 messages
2019-04-03 13:35:36	mcepl	create