This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author meetdash
Recipients meetdash
Date 2022-01-30.00:29:30
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1643502571.23.0.70657524301.issue46577@roundup.psfhosted.org>
In-reply-to
Content 
A URL's hostname can be spoofed by using a backslash (\) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect.

Impact: Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

Example URL: "http://google.com:80\\@yahoo.com/#what\\is going on"

Expected behaviour (as returned by NPM urijs):
{
 "scheme": "http",
 "user": "",
 "password": "",
 "host": "google.com",
 "port": "",
 "path": "@yahoo.com/",
 "query": "",
 "fragment": "what\\is going on"
}

Actual behaviour:
{
 "scheme": "http",
 "user": "google.com",
 "password": "80\\",
 "host": "yahoo.com",
 "port": "",
 "path": "/",
 "query": "",
 "fragment": "what\\is going on"
}

Expected version is the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26291
History
Date User Action Args
2022-01-30 00:29:31meetdashsetrecipients: + meetdash
2022-01-30 00:29:31meetdashsetmessageid: <1643502571.23.0.70657524301.issue46577@roundup.psfhosted.org>
2022-01-30 00:29:31meetdashlinkissue46577 messages
2022-01-30 00:29:30meetdashcreate