Message349153
Python2 urlparse.urlparse and urllib2.urlparse.urlparse have a similar IPv6 hostname parsing bug.
>>> urlparse.urlparse('http://nevil.com[]').hostname
>>> 'evil.com['
This is less practical to exploit since the parsed domain contains a '[' in the end.
Do I need to create a separate issue for this Python2 bug?
I think the way PR 14896 fix the python3 bug can also be applied to this.
Also, do we need a CVE ID for the python3 bug? As it may lead to some security issues in some Python apps, e.g., open-redirect. I have found such a case in a private bug bounty program. |
|
Date |
User |
Action |
Args |
2019-08-07 07:47:54 | sanebow | set | recipients:
+ sanebow, ronaldoussoren, orsenthil, martin.panter, matrixise, xtreak, jpic |
2019-08-07 07:47:54 | sanebow | set | messageid: <1565164074.83.0.663936524704.issue36338@roundup.psfhosted.org> |
2019-08-07 07:47:54 | sanebow | link | issue36338 messages |
2019-08-07 07:47:54 | sanebow | create | |
|