STINNER Victor added the comment:
>>> urlparse("//evil.com")
ParseResult(scheme='', netloc='evil.com', path='', params='', query='',
fragment='')
I see evil.com in the netloc field, ok. But Firefox doesn't use Python to parse
and url, and typing //evil.com in the address bar converts the address to
file:////evil.com. Not a website, but a local file.
So I don't understand the redirection part. Could you maybe write a vulnerable
CGI script to demonstrate the bug?
I wrote the following HTML file to try to understand the bug, but I was only
able to show the content of my local file /etc/issue:
<head>
<META http-equiv="refresh" content="5;URL=////etc/issue">
</head>
<p><a href="////etc/issue">issue</a></p>
----------
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue23505>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
