Karthikeyan Singaravelan <[email protected]> added the comment:
As @gregory.p.smith noted in GitHub [0] this fixes only protocol level bugs.
There are some parsing ambiguities in urllib that are potential security issues
still to be fixed.
issue20271 - urllib.urlparse('http://benign.com\[attacker.com]') returns
attacker.com as hostname . A slightly related issue
https://bugs.python.org/issue20271
issue35748 - urllib.urlparse(r'http://spam\eggs!cheese&[email protected]')
returns evil.com as hostname
issue23505 - Urlparse insufficient validation leads to open redirect
issue33661 - urllib may leak sensitive HTTP headers to a third-party web site
(Redirecting from https to http might also pass some headers in plain text.
This behavior was changed in requests, golang, Curl that had their own
respective CVEs)
As a fun side note this vulnerability was used by one of our own tests as a
feature from 2012 to test another security issue (issue14001) [1] :)
[0] https://github.com/python/cpython/pull/12755#issuecomment-481599611
[1] https://github.com/python/cpython/pull/12755#issuecomment-481618741
----------
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue30458>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
