Yassine ABOUKIR added the comment:
From: Amos Jeffries <squid3 () treenet co nz>
Date: Fri, 06 Mar 2015 14:09:55 +1300
On 6/03/2015 10:42 a.m., cve-assign () mitre org wrote:
We think that the issue reduces to the question of whether it's
acceptable for urlparse to provide inconsistent information about the
structure of a URL.
https://docs.python.org/2/library/urlparse.html says:
urlparse.urlparse(urlstring[, scheme[, allow_fragments]])
Parse a URL into six components, returning a 6-tuple. This
corresponds to the general structure of a URL:
scheme://netloc/path;parameters?query#fragment.
My 2c ... no it does not.
There are 7 parts in a URL. What is called "netloc" in that description
is actually two fields: [userinfo '@'] authority
The userinfo field is very much alive and well in non-HTTP schemes.
Ignoring the userinfo field leaves implementations open to attacks of
the form:
scheme://example.com () phishing com/path
AYJ
----------
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue23505>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
