[issue30500] urllib connects to a wrong host

2017-06-07 Thread STINNER Victor 

STINNER Victor added the comment:

> I think the best behavior is to do what popular web browsers do. Chrome and 
> Firefox, for example, parses this is host 127.0.0.1, path /, fragment 
> #@evil.com.

I agree that in case of doubt, it's better to follow the implementation of most 
popular web browser which indirectly define the "standard".

--
nosy: +haypo

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30500] urllib connects to a wrong host

2017-05-29 Thread Nam Nguyen 

Nam Nguyen added the comment:

I think the best behavior is to do what popular web browsers do. Chrome and 
Firefox, for example, parses this is host 127.0.0.1, path /, fragment 
#@evil.com.

If the code does want to support username/password, it should do a custom 
opener (with basic HTTP authentication) instead.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30500] urllib connects to a wrong host

2017-05-29 Thread Nam Nguyen 

Changes by Nam Nguyen :


--
pull_requests: +1937

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30500] urllib connects to a wrong host

2017-05-28 Thread Martin Panter 

Martin Panter added the comment:

See also Issue 18140, where it looks like people _want_ the hash (#) to be part 
of the username and/or password.

Another option may be to raise an exception.

--
nosy: +martin.panter

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30500] urllib connects to a wrong host

2017-05-28 Thread Mariatta Wijaya 

Changes by Mariatta Wijaya :


--
versions: +Python 3.5, Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30500] urllib connects to a wrong host

2017-05-28 Thread Nam Nguyen 

New submission from Nam Nguyen:

Reported by Orange Tsai:

==
Hi, Python Security Team

import urllib
from urlparse import urlparse

url = 'http://127.0.0.1#@evil.com/'
print urlparse(url).netloc  # 127.0.0.1
print urllib.urlopen(url).read()# will access evil.com


I have tested on the latest version of Python 2.7.13.
==

--
components: Library (Lib)
messages: 294667
nosy: Nam.Nguyen
priority: normal
pull_requests: 1933
severity: normal
status: open
title: urllib connects to a wrong host
type: security
versions: Python 2.7, Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com