Karthikeyan Singaravelan <[email protected]> added the comment:
I just tested other implementations in Ruby and Go and they too return host as "evil.com" for "http://[email protected]"; along with the user info component. $ ruby -e 'require "uri"; puts URI("http://[email protected]";).hostname' evil.com $ cat /tmp/foo.go package main import ( "fmt" "net/url" ) func main() { u, _ := url.Parse(`http://[email protected]`) fmt.Println(u.Host); fmt.Println(u.User); } $ go run /tmp/foo.go evil.com www.google.com ---------- nosy: +xtreak _______________________________________ Python tracker <[email protected]> <https://bugs.python.org/issue35748> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
