Author vstinner
Recipients christian.heimes, jpic, martin.panter, matrixise, orsenthil, ronaldoussoren, sanebow, vstinner, xtreak
Date 2019-10-24.10:38:17
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1571913498.0.0.793316673015.issue36338@roundup.psfhosted.org>
In-reply-to
Content
OMG parsing an URL is a can of worms... There are so many open issues related to URL parsing!

* bpo-18191: urllib.parse.splitport("::1")
* bpo-20271: urllib.parse.urlparse('http://[::1]spam:80')
* bpo-28841: urlparse.urlparse() parses invalid URI without generating an error (examples provided)
* bpo-33342: urlsplit("//user:[@host")
* bpo-34360: 'http://[::1]]'
* bpo-35377: urlparse doesn't validate the scheme
* bpo-35748: 'http://www.google.com\@xxx.com'
* bpo-36338 (this issue): urlparse('http://demo.com[attacker.com]')
* bpo-37678: urlparse('http://user:pass#?[word@example.com:80/path')

Related:

* bpo-3647: urlparse - relative url parsing and joins to be RFC3986 compliance
* bpo-16909: urlparse: add userinfo attribute
* bpo-18140: issue with 'http://auser:secr#et@192.168.0.1:8080/a/b/c.html'
* bpo-22234: urllib.parse.urlparse accepts any falsy value as an url
* bpo-22852: "urllib.parse wrongly strips empty #fragment, ?query, //netloc"
* bpo-23328: issue with "http://someuser:a/b@10.11.12.13:1234"
* bpo-23448: "urllib2 needs to remove scope from IPv6 address when creating Host header"
* bpo-23505: [CVE-2015-2104] Urlparse insufficient validation leads to open redirect

There are 124 open issues with "urllib" in their title and 12 open issues with "urlparse" in their title.
History
Date User Action Args
2019-10-24 10:38:18vstinnersetrecipients: + vstinner, ronaldoussoren, orsenthil, christian.heimes, martin.panter, matrixise, xtreak, sanebow, jpic
2019-10-24 10:38:18vstinnersetmessageid: <1571913498.0.0.793316673015.issue36338@roundup.psfhosted.org>
2019-10-24 10:38:17vstinnerlinkissue36338 messages
2019-10-24 10:38:17vstinnercreate