[issue36216] CVE-2019-9636: urlsplit does not handle NFKC normalization

2021-05-11 Thread Larry Hastings 


Change by Larry Hastings :


--
nosy:  -larry

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36216] CVE-2019-9636: urlsplit does not handle NFKC normalization

2021-05-11 Thread Kubilay Kocak 


Kubilay Kocak  added the comment:

Fix meta (not incl 2.7 which is no longer available to select).

--
components: +Unicode -FreeBSD
versions: +Python 3.7, Python 3.8

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36216] CVE-2019-9636: urlsplit does not handle NFKC normalization

2021-05-10 Thread dcockcn 


Change by dcockcn :


--
components: +FreeBSD -Unicode
nosy: +koobs

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36216] CVE-2019-9636: urlsplit does not handle NFKC normalization

2021-05-10 Thread dcockcn 


Change by dcockcn :


--
versions:  -Python 2.7, Python 3.4, Python 3.5, Python 3.7, Python 3.8

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36216] CVE-2019-9636: urlsplit does not handle NFKC normalization

2019-05-10 Thread Ned Deily 


Change by Ned Deily :


--
Removed message: https://bugs.python.org/msg342088

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36216] CVE-2019-9636: urlsplit does not handle NFKC normalization

2019-05-10 Thread Ned Deily 


Ned Deily  added the comment:


New changeset 62d36547f97210a26cc6051da78714fd078e158c by larryhastings (Steve 
Dower) in branch '3.4':
bpo-36216: Add check for characters in netloc that normalize to separators 
(GH-12201) (#12224)
https://github.com/python/cpython/commit/62d36547f97210a26cc6051da78714fd078e158c


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36216] CVE-2019-9636: urlsplit does not handle NFKC normalization

2019-04-03 Thread Matej Cepl 


Matej Cepl  added the comment:

You are right. Thank you.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36216] CVE-2019-9636: urlsplit does not handle NFKC normalization

2019-04-03 Thread Steve Dower 


Steve Dower  added the comment:

You need a "u" prefix on some of your strings or they're probably being 
immediately decomposed. The result of urlsplit should be unicode on Python 2 
for a Unicode input, and yours are not.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36216] CVE-2019-9636: urlsplit does not handle NFKC normalization

2019-04-03 Thread Matej Cepl 


Matej Cepl  added the comment:

I am trying to investigate the impact of this bug on Python 2.6 (yes, it is for 
SLE), and I have hard to replicate the steps in the description even on 2.7:

~$ ipython2
Python 2.7.15 (default, May 21 2018, 17:53:03) [GCC]
Type "copyright", "credits" or "license" for more information.

IPython 5.8.0 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help  -> Python's own help system.
object?   -> Details about 'object', use 'object??' for extra details.

In [1]: from urlparse import urlsplit

In [2]: u = "https://example.com\uf...@bing.com".encode("idna").decode("ascii") 

In [3]: u
Out[3]: u'https://example.com\\uf...@bing.com'

In [4]: urlsplit(u).netloc.rpartition('@')[2]
Out[4]: u'bing.com'

In [5]: u = "https://example.com\uf...@bing.com;

In [6]: urlsplit(u).netloc.rpartition('@')[2]
Out[6]: 'bing.com'

In [7]: u = u.encode("idna").decode("ascii") 

In [8]: urlsplit(u).netloc.rpartition('@')[2]
Out[8]: u'bing.com'

In [9]: import unicodedata

In [10]: u2 = unicodedata.normalize('NFKC', u)

In [11]: u2
Out[11]: u'https://example.com\\uf...@bing.com'

In [12]: urlsplit(u2)
Out[12]: SplitResult(scheme=u'https', netloc=u'example.com\\uf...@bing.com', 
path=u'', query='', fragment='')

In [13]:

Yes, the results are weird, and most likely they would break any software 
relying on them, but I am not sure that it is a security issue.

vstinner ? steve.dower ? What do you think?

--
nosy: +mcepl

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36216] CVE-2019-9636: urlsplit does not handle NFKC normalization

2019-03-14 Thread STINNER Victor 


Change by STINNER Victor :


--
title: urlsplit does not handle NFKC normalization -> CVE-2019-9636: urlsplit 
does not handle NFKC normalization

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com