Karthikeyan Singaravelan <tir.kar...@gmail.com> added the comment:
See also issue20271 that discusses the other format http://[::1]spam where ::1 is returned as hostname. urlparse tries to parse the hostname as IPV6 address when there is [ and parses till ] at [0] thus "benign.com\[attacker.com]" is treated as a URL where attacker.com is assumed as the IPV6 hostname. I am not sure of the correct behavior. FWIW at least Java and golang return "benign.com[attacker.com]" and Ruby raises an exception that this is a bad URL. Java > (.getHost (java.net.URL. "http://benign.com\\[attacker.com]";)) "benign.com\\[attacker.com]" golang: https://play.golang.org/p/q8pTo9ySLby [0] https://github.com/python/cpython/blob/c5c6cdada3d41148bdeeacfe7528327b481c5d18/Lib/urllib/parse.py#L199 ---------- nosy: +xtreak stage: patch review -> _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue36338> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
