[issue36742] CVE-2019-10160: urlsplit NFKD normalization vulnerability in user:password@

2019-09-06 Thread Larry Hastings 


Larry Hastings  added the comment:


New changeset 095373c32d16df575ba5fcb5f44bf44119b26193 by larryhastings (Victor 
Stinner) in branch '3.5':
bpo-36742: Corrects fix to handle decomposition in usernames (GH-13812) 
(GH-13814) (#14772)
https://github.com/python/cpython/commit/095373c32d16df575ba5fcb5f44bf44119b26193


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36742] CVE-2019-10160: urlsplit NFKD normalization vulnerability in user:password@

2019-07-14 Thread STINNER Victor 


Change by STINNER Victor :


--
pull_requests: +14565
pull_request: https://github.com/python/cpython/pull/14772

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36742] CVE-2019-10160: urlsplit NFKD normalization vulnerability in user:password@

2019-07-14 Thread Larry Hastings 


Larry Hastings  added the comment:


New changeset 4655d576141ee56a69d2052431c636858fcb916a by larryhastings (Steve 
Dower) in branch '3.5':
bpo-36742: Fixes handling of pre-normalization characters in urlsplit() 
(GH-13017) (#13042)
https://github.com/python/cpython/commit/4655d576141ee56a69d2052431c636858fcb916a


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36742] CVE-2019-10160: urlsplit NFKD normalization vulnerability in user:password@

2019-06-11 Thread STINNER Victor 


STINNER Victor  added the comment:


New changeset 2b578479b96aa3deeeb8bac313a02b5cf3cb1aff by Victor Stinner in 
branch '2.7':
[2.7] bpo-36742: Fix urlparse.urlsplit() error message for Unicode URL 
(GH-13937)
https://github.com/python/cpython/commit/2b578479b96aa3deeeb8bac313a02b5cf3cb1aff


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36742] CVE-2019-10160: urlsplit NFKD normalization vulnerability in user:password@

2019-06-10 Thread Charalampos Stratakis 


Change by Charalampos Stratakis :


--
nosy: +cstratak

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36742] CVE-2019-10160: urlsplit NFKD normalization vulnerability in user:password@

2019-06-10 Thread Riccardo Schirone 


Riccardo Schirone  added the comment:

> CVE-2019-10160 has been assigned by Red Hat to this flaw.

For clarity, CVE-2019-10160 has been assigned to the bug introduced with the 
fix for the functional regression mentioned in this bug, and not to the bug 
itself explained in the first comment. See 
https://bugzilla.redhat.com/show_bug.cgi?id=1718388 for more details about it.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36742] CVE-2019-10160: urlsplit NFKD normalization vulnerability in user:password@

2019-06-10 Thread STINNER Victor 


Change by STINNER Victor :


--
pull_requests: +13804
pull_request: https://github.com/python/cpython/pull/13937

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36742] CVE-2019-10160: urlsplit NFKD normalization vulnerability in user:password@

2019-06-07 Thread Riccardo Schirone 


Riccardo Schirone  added the comment:

The fix for python-2.7 
(https://github.com/python/cpython/pull/13815/files#diff-b577545d73dd0cdb2c337a4c5f89e1d7R183)
 causes errors when netloc contains characters that can't be encoded by 'ascii' 
codec.

You can see it by doing:
>>> netloc = u'example.com\uf...@bing.com'
>>> raise ValueError(u"netloc '" + netloc + u"' contains invalid characters 
>>> under NFKC normalization")
Traceback (most recent call last):
  File "", line 1, in 
ValueError: 
>>> str(netloc)
Traceback (most recent call last):
  File "", line 1, in 
UnicodeEncodeError: 'ascii' codec can't encode character u'\uff03' in position 
11: ordinal not in range(128)

I suggest we use `repr(netloc)` instead of `netloc` in the ValueError message.

--
nosy: +rschiron

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36742] CVE-2019-10160: urlsplit NFKD normalization vulnerability in user:password@

2019-06-07 Thread STINNER Victor 


STINNER Victor  added the comment:

CVE-2019-10160 has been assigned by Red Hat to this flaw.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36742] CVE-2019-10160: urlsplit NFKD normalization vulnerability in user:password@

2019-06-07 Thread STINNER Victor 


Change by STINNER Victor :


--
title: urlsplit doesn't accept a NFKD hostname with a port number -> 
CVE-2019-10160: urlsplit NFKD normalization vulnerability in user:password@

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com