Message412118
A URL's hostname can be spoofed by using a backslash (\) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect.
Impact: Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.
Example URL: "http://google.com:80\\@yahoo.com/#what\\is going on"
Expected behaviour (as returned by NPM urijs):
{
"scheme": "http",
"user": "",
"password": "",
"host": "google.com",
"port": "",
"path": "@yahoo.com/",
"query": "",
"fragment": "what\\is going on"
}
Actual behaviour:
{
"scheme": "http",
"user": "google.com",
"password": "80\\",
"host": "yahoo.com",
"port": "",
"path": "/",
"query": "",
"fragment": "what\\is going on"
}
Expected version is the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26291 |
|
Date |
User |
Action |
Args |
2022-01-30 00:29:31 | meetdash | set | recipients:
+ meetdash |
2022-01-30 00:29:31 | meetdash | set | messageid: <1643502571.23.0.70657524301.issue46577@roundup.psfhosted.org> |
2022-01-30 00:29:31 | meetdash | link | issue46577 messages |
2022-01-30 00:29:30 | meetdash | create | |
|