On Dienstag, 7. März 2017 02:01:06 CET Orange Tsai wrote: > I am surprise that `http://u...@evil.com:8...@good.com` will connect to ` > evil.com`, not `good.com`. > Most of URL parser will recognize `good.com` is host part. Like this > advisory, https://curl.haxx.se/docs/adv_20161102J.html > It seem more dangerous if a developer still rely on the result of parse URL > than my original report. > > Some testing: > $ python try.py 'http://user@127.3.3.3:80@127.2.2.2/x' > > Python scheme=http, host=user@127.3.3.3:80@127.2.2.2, port= > PHP scheme=http, host=127.2.2.2, port= > Perl scheme=http, host=127.2.2.2, port=80 > Ruby2 scheme=http, host=127.2.2.2, port= > GO scheme=http, host=127.2.2.2, port= > Java scheme=http, host=, port=-1 > JS scheme=http, host=127.2.2.2, port=null > > > > But it seems also the same root cause and fixed at this patch. :) > By the way, would you mind that allocating a CVE-ID to address this?
I'd appreciate that. But I never did that, so who does allocate a CVE how and where ? I am willing to learn :-) Tim
signature.asc
Description: This is a digitally signed message part.
