[issue2504] Add gettext.pgettext() and variants support

[Hanno Zulla]

Hanno Zulla added the comment:

Can we please get pgettext for Python?

--
nosy: +Hanno.Zulla

___
Python tracker 
<http://bugs.python.org/issue2504>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue14036] urlparse insufficient port property validation

[zulla]

zulla  added the comment:

we should at least check if the .port attribute is an intereger >= 1 and <= 
65535. _because_ this is the only valid port range. otherwise, it is no valid 
port. but it may be a integer overflow attack attempt

when a developer uses .port, he is counting on the result being valid

--

___
Python tracker 
<http://bugs.python.org/issue14036>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue14036] urlparse insufficient port property validation

[zulla]

zulla  added the comment:

Your comment is completely senseless, sorry.
Of course such high port numbers do not exist.

An attacker is counting on that. Imagine something like that

pass_to_cython(urlparse("http://google.de:99**99[to be 
calculated]").port)

--

___
Python tracker 
<http://bugs.python.org/issue14036>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue14036] urlparse insufficient port property validation

[zulla]

zulla  added the comment:

>>> u("http://www.google.com:99";).port
99L

--

___
Python tracker 
<http://bugs.python.org/issue14036>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue14036] urlparse insufficient port property validation

[zulla]

zulla  added the comment:

I understand your point of view, but I disagree.

Various libraries and projects rely on urlparse.urlparse and 
urllib.parse.urlparse.

This bug just blew up in my face. I'm working with Cython and PyQt4.

When a developer relies on ParseResult().netloc being a valid netloc, and .port 
being None [bool(False)] or a integer between 1-65535 really bad things can 
happen in a environment that has 0-tolerance for security issues (like C/C++ 
mixed in python).

I agree that the 

if self.scheme == "http":
return 80
elif self.scheme == "https":
[...]

part of my patch is debetable, but we should _at least_ ensure that IF there is 
a ParseResult().port, the developer can be sure that it is a valid port between 
1-65545.

i apologize for upload the whole file; i attached the diff now.

regards,
dan

--
keywords: +patch
Added file: http://bugs.python.org/file24541/urlparse.diff

___
Python tracker 
<http://bugs.python.org/issue14036>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue14036] urlparse insufficient port property validation

[zulla]

Changes by zulla :


Removed file: http://bugs.python.org/file24535/urlparse.py

___
Python tracker 
<http://bugs.python.org/issue14036>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue14036] urlparse insufficient port property validation

[zulla]

zulla  added the comment:

Whops. I forgot an int() :-)

Here's the right patch.

--
Added file: http://bugs.python.org/file24540/testurllib.py

___
Python tracker 
<http://bugs.python.org/issue14036>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue14036] urlparse insufficient port property validation

[zulla]

zulla  added the comment:

Hi. No, it's a patched version. It won't crash under circumstances like that 
[1] and won't succeed with invalid input:


>>> import urlparse
>>> urlparse.urlparse("http://www.google.com:foo";)
ParseResult(scheme='http', netloc='www.google.com:foo', path='', params='', 
query='', fragment='')
>>> urlparse.urlparse("http://www.google.com:foo";).port
Traceback (most recent call last):
  File "", line 1, in 
  File 
"/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urlparse.py",
 line 105, in port
port = int(netloc.split(':')[1], 10)
ValueError: invalid literal for int() with base 10: 'foo'
>>>

--

___
Python tracker 
<http://bugs.python.org/issue14036>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue14036] urlparse insufficient port property validation

[zulla]

zulla  added the comment:

The "port" and "netloc" component of a ParsedResult-object is not properly 
sanitized or validated. This may lead to bypass-able hostname-based filters. 
Remote Crash vulnerabilities be be also possible.

--

___
Python tracker 
<http://bugs.python.org/issue14036>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue14036] urlparse insufficient port property validation

[zulla]

New submission from zulla :

The "port" component of a URL is not properly be sanitized or validated. This 
may lead to the evasion of netloc/hostname based filters or exceptions.

--
components: Library (Lib)
files: testurllib.py
messages: 153512
nosy: zulla
priority: normal
severity: normal
status: open
title: urlparse insufficient port property validation
type: security
versions: Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4
Added file: http://bugs.python.org/file24535/testurllib.py

___
Python tracker 
<http://bugs.python.org/issue14036>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com