Message 355322 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	christian.heimes, jpic, martin.panter, matrixise, orsenthil, ronaldoussoren, sanebow, vstinner, xtreak
Date	2019-10-24.10:38:17
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1571913498.0.0.793316673015.issue36338@roundup.psfhosted.org>
In-reply-to

Content
OMG parsing an URL is a can of worms... There are so many open issues related to URL parsing! * bpo-18191: urllib.parse.splitport("::1") * bpo-20271: urllib.parse.urlparse('http://[::1]spam:80') * bpo-28841: urlparse.urlparse() parses invalid URI without generating an error (examples provided) * bpo-33342: urlsplit("//user:[@host") * bpo-34360: 'http://[::1]]' * bpo-35377: urlparse doesn't validate the scheme * bpo-35748: 'http://www.google.com\@xxx.com' * bpo-36338 (this issue): urlparse('http://demo.com[attacker.com]') * bpo-37678: urlparse('http://user:pass#?[word@example.com:80/path') Related: * bpo-3647: urlparse - relative url parsing and joins to be RFC3986 compliance * bpo-16909: urlparse: add userinfo attribute * bpo-18140: issue with 'http://auser:secr#et@192.168.0.1:8080/a/b/c.html' * bpo-22234: urllib.parse.urlparse accepts any falsy value as an url * bpo-22852: "urllib.parse wrongly strips empty #fragment, ?query, //netloc" * bpo-23328: issue with "http://someuser:a/b@10.11.12.13:1234" * bpo-23448: "urllib2 needs to remove scope from IPv6 address when creating Host header" * bpo-23505: [CVE-2015-2104] Urlparse insufficient validation leads to open redirect There are 124 open issues with "urllib" in their title and 12 open issues with "urlparse" in their title.

OMG parsing an URL is a can of worms... There are so many open issues related to URL parsing!

* bpo-18191: urllib.parse.splitport("::1")
* bpo-20271: urllib.parse.urlparse('http://[::1]spam:80')
* bpo-28841: urlparse.urlparse() parses invalid URI without generating an error (examples provided)
* bpo-33342: urlsplit("//user:[@host")
* bpo-34360: 'http://[::1]]'
* bpo-35377: urlparse doesn't validate the scheme
* bpo-35748: 'http://www.google.com\@xxx.com'
* bpo-36338 (this issue): urlparse('http://demo.com[attacker.com]')
* bpo-37678: urlparse('http://user:pass#?[word@example.com:80/path')

Related:

* bpo-3647: urlparse - relative url parsing and joins to be RFC3986 compliance
* bpo-16909: urlparse: add userinfo attribute
* bpo-18140: issue with 'http://auser:secr#et@192.168.0.1:8080/a/b/c.html'
* bpo-22234: urllib.parse.urlparse accepts any falsy value as an url
* bpo-22852: "urllib.parse wrongly strips empty #fragment, ?query, //netloc"
* bpo-23328: issue with "http://someuser:a/b@10.11.12.13:1234"
* bpo-23448: "urllib2 needs to remove scope from IPv6 address when creating Host header"
* bpo-23505: [CVE-2015-2104] Urlparse insufficient validation leads to open redirect

There are 124 open issues with "urllib" in their title and 12 open issues with "urlparse" in their title.

History
Date	User	Action	Args
2019-10-24 10:38:18	vstinner	set	recipients: + vstinner, ronaldoussoren, orsenthil, christian.heimes, martin.panter, matrixise, xtreak, sanebow, jpic
2019-10-24 10:38:18	vstinner	set	messageid: <1571913498.0.0.793316673015.issue36338@roundup.psfhosted.org>
2019-10-24 10:38:17	vstinner	link	issue36338 messages
2019-10-24 10:38:17	vstinner	create