I am surprise that `http://u...@evil.com:8...@good.com` will connect to ` evil.com`, not `good.com`. Most of URL parser will recognize `good.com` is host part. Like this advisory, https://curl.haxx.se/docs/adv_20161102J.html It seem more dangerous if a developer still rely on the result of parse URL than my original report.
Some testing: $ python try.py 'http://user@127.3.3.3:80@127.2.2.2/x' Python scheme=http, host=user@127.3.3.3:80@127.2.2.2, port= PHP scheme=http, host=127.2.2.2, port= Perl scheme=http, host=127.2.2.2, port=80 Ruby2 scheme=http, host=127.2.2.2, port= GO scheme=http, host=127.2.2.2, port= Java scheme=http, host=, port=-1 JS scheme=http, host=127.2.2.2, port=null But it seems also the same root cause and fixed at this patch. :) By the way, would you mind that allocating a CVE-ID to address this? 2017-03-07 0:11 GMT+08:00 Eli Zaretskii <e...@gnu.org>: > > From: Tim Ruehsen <tim.rueh...@gmx.de> > > Date: Mon, 06 Mar 2017 10:17:25 +0100 > > Cc: Orange Tsai <orange.8...@gmail.com> > > > > Thanks, just pushed a commit, not allowing control chars in host part. > > Hmm... is it really enough to reject only ASCII control characters? > Maybe we should also reject control characters from other Unicode > ranges? Just a thought. > -- - Orange -